Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

Vulnerability

CVE-2022-20812 describes a set of vulnerabilities in the API and web-based management interface of Cisco Expressway Series (Expressway-C and Expressway-E) and Cisco TelePresence Video Communication Server (VCS). These flaws could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. The advisory [1] covers multiple CVEs affecting these products. The exact vulnerable software versions are detailed in the Cisco Security Advisory [1].

Exploitation

An attacker can exploit these vulnerabilities remotely without authentication by sending specially crafted requests to the API or web management interface of an affected device [1]. No user interaction is required for exploitation. The attacker needs network access to the targeted Cisco Expressway or VCS device.

Impact

Successful exploitation allows a remote attacker to overwrite arbitrary files on the device or conduct null byte poisoning attacks [1]. This could lead to denial of service, unauthorized modification of configuration files, or potentially code execution depending on the files overwritten. The impact relates to compromise of confidentiality, integrity, and availability of the affected device.

Mitigation

Cisco has released free software updates that address these vulnerabilities [1]. Customers with service contracts should obtain the fixed software through their usual update channels. Customers without service contracts should contact Cisco TAC or their contracted maintenance providers. The specific fixed versions are listed in the Cisco Security Advisory [1]. No workarounds are mentioned in the advisory.