Cisco patched two critical vulnerabilities in Expressway and TelePresence Video Communication Server. Tracked as CVE-2022-20812 and CVE-2022-20813, the vulnerabilities could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. The vulnerabilities exist in the API and the web-based management interface of Cisco Expressway Series and TelePresence Video Communication Server (VCS).
CVE-2022-20812 was encountered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG). CVE-2022-20813 was found during internal security testing by Deklan Evans of Cisco ASIG.
The two vulnerabilities are independent of each other. It is not necessary to exploit one vulnerability to exploit another. A software release that is impacted by one of the vulnerabilities might not also be impacted by the other.
Cisco Expressway Series and TelePresence VCS Arbitrary File Overwrite Vulnerability (CVE-2022-20812)
The vulnerability exists in the cluster database API of the Cisco Expressway Series and TelePresence VCS. This flaw results from inadequate input validation of user-supplied command arguments.
An authenticated, remote attacker with Administrator read-write privileges on the application could exploit this vulnerability to conduct absolute path traversal attacks on a vulnerable device and overwrite files on the underlying operating system as root user.
Cisco Expressway Series and TelePresence VCS Null Byte Poisoning Vulnerability (CVE-2022-20813)
This vulnerability exists in the certificate validation of the Cisco Expressway Series and TelePresence VCS. An unauthenticated, remote attacker could exploit this vulnerability to access sensitive data without authorization.
This vulnerability occurs due to improper certificate validation. This vulnerability could be exploited using a man-in-the-middle attack to intercept traffic between the devices and a specially created certificate to pretend to be the endpoint. On successful exploitation, the attacker could change the traffic’s contents or see the intercepted traffic in clear text.
Cisco Expressway Series and TelePresence VCS versions older than 14.0.7 are affected by this vulnerability.
Customers are advised to upgrade to the latest Cisco Expressway Series and TelePresence VCS version 14.0.7. For more information, please refer to the official Cisco Security Advisory (cisco-sa-expressway-overwrite-3buqW8LH).
Qualys customers can scan their devices with QID 38875 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.