Cisco has released a security advisory about two vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). The flaws could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

CVE-2022-20754

The first vulnerability exists in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.

CVE-2022-20755

The second vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS. This vulnerability is alos due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.

Mitigation

The following products are affected by these vulnerabilities:

  • Cisco Expressway: X14.0.3 – X14.0.4
  • TelePresence Video Communication Server (VCS): X14.0.3 – X14.0.4

For these two vulnerabilities there are no workarounds. The only way to address them is to install the free software updates provided by Cisco. Both vulnerabilities received CVSS scores of 9 out of 10 and are rated critical. Therefore, customers are urged to update to the latest versions as soon as possible.

Known exploited vulnerabilities catalog

The two vulnerabilities that were included in the security advisory were found during internal security testing, so there is no reason to assume that they are being exploited in the wild. The same is true for two high-severity vulnerabilities in Ultra Cloud Core – Subscriber Microservices Infrastructure (SMI) and Identity Services Engine (ISE) patched earlier. These are CVE-2022-20762 (CVSS score of 7.8) and CVE-2022-20756 (CVSS score of 8.6). Another vulnerability patched this week was CVE-2022-20665 (CVSS score of 6.0) in the command line interface of Cisco StarOS which could allow an authenticated, local attacker to elevate privileges on an affected device.

While these vulnerabilities are not known to be exploited in the wild, looking at the catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) that covers known exploited vulnerabilities you will notice that of the 95 vulnerabilities that were added yesterday, 3 March, 38 are Cisco’s.

The affected products:

  • Small Business RV160, RV260, RV340, and RV345 Series Routers
  • Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers
  • Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches
  • Catalyst 6800 Series Switches
  • Cisco IOS XE Software
  • IOS, XR, and XE Software

Some of these vulnerabilities need to be fixed by 17 March, 2022, while others have a due date of 24 March. These types of vulnerabilities are considered a frequent attack vector for threat actors and to pose a significant risk.

The Known Exploited Vulnerabilities Catalog has been established to act as a living list of known CVEs that carry significant risk to the federal government. Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date. Although BOD 22-01 only applies to FCEB agencies, organizations are encouraged to play along too, and reduce their exposure to cyberattacks with prompt patching of the most serious vulnerabilities.

Stay safe, everyone!