Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

Vulnerability

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device. The affected products include all Cisco Expressway Series and Cisco TelePresence VCS releases prior to the fixed versions. The default configuration is vulnerable for CVE-2022-20806 and CVE-2022-20807. These vulnerabilities are not dependent on one another [1].

Exploitation

An attacker must have authenticated access to the affected device's API or web-based management interface. No additional privileges or user interaction beyond authentication is required to trigger the vulnerable code path. The specific attack vectors involve crafted requests to the cluster database API or other management endpoints, but the exact sequence of steps is not publicly detailed beyond the advisory [1].

Impact

Successful exploitation could allow an attacker to write arbitrary files to the device's filesystem or disclose sensitive information. The impact varies depending on the specific vulnerability: CVE-2022-20806 enables arbitrary file write, while CVE-2022-20807 enables information disclosure. The attacker could gain access to sensitive configuration data or overwrite critical system files, potentially leading to further compromise [1].

Mitigation

Cisco has released software updates that address these vulnerabilities. The fixed versions are available for Cisco Expressway Series and Cisco TelePresence VCS. There are no workarounds that address these vulnerabilities. Administrators should upgrade to the appropriate patched release as specified in the Cisco Security Advisory [1].