Cisco has released a new security advisory warning of a high-severity flaw affecting IP Phone 7800 and 8800 Series firmware that could be potentially exploited by a remote attacker to cause remote code execution or a denial-of-service (DoS) condition.
The networking equipment major said it’s working on a patch to address the vulnerability, which is tracked as CVE-2022-20968 (CVSS score: 8.1) and stems from a case of insufficient input validation of received Cisco Discovery Protocol (CDP) packets.
CDP is a proprietary network-independent protocol that is used for collecting information related to nearby, directly connected devices such as hardware, software, and device name, among others. It’s enabled by default.
“An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device,” the company said in an alert published on December 8, 2022.
“A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.”
Cisco IP phones running firmware version 14.2 and earlier are impacted. A patch is scheduled for release in January 2023, with the company stating that there are no updates or workarounds to remediate the issue.
However, on deployments that support both CDP and Link Layer Discovery Protocol (LLDP) for neighbor discovery, users can opt to disable CDP so that the affected devices switch to LLDP for advertising their identity and capabilities to directly connected peers in a local area network (LAN).
“This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise,” the company said.
It further warned that it’s aware of the availability of a proof-of-concept (PoC) exploit and that the shortcoming has been publicly disclosed. There’s no evidence that the vulnerability has been actively abused in the wild to date.
Qian Chen from the Codesafe Team of Legendsec at Qi’anxin Group has been credited with discovering and reporting the vulnerability.