How to Fix CVE-2022-20968- Stack Overflow Vulnerability in Cisco IP Phones?


On Thursday, Cisco released important news for its customers about CVE-2022-20968- a high-severity vulnerability that affects some of its IP phones, and that it is working on its patches. The company says it’s unaware of any malicious attacks exploiting the vulnerability, but it has been “publicly discussed,” and a proof-of-concept (PoC) exploit is available. 

Cisco was reported of this vulnerability by Qian Chen of the Codesafe Team of Legendsec at the Chinese cybersecurity firm Qi’anxin Group. Cisco released a patch for the vulnerability in January 2023. However, in the meantime, the company provided a mitigation that could be used until the patch was released.

A Short Note About Cisco Discovery Protocol

CDP, or Cisco Discovery Protocol, is a proprietary protocol developed by Cisco that allows network devices to discover and collect information about directly connected neighbor devices. It operates on the data link layer and can run on all media supporting Subnetwork Access Protocol (SNAP).

CDP has two versions: 

  1. CDPv1: It is the initial version of the protocol, which is capable of collecting basic device information only, such as the device name and the IP address, of directly connected neighbor devices.
  2. CDPv2 is the most recent protocol version and provides more intelligent device tracking features.

How does CDP work?

Cisco devices periodically transmit CDP packets, which advertise a time-to-live (TTL) value indicating the number of seconds the packet must be retained before it can be discarded. CDP packets are sent with a nonzero TTL value when an interface is enabled and a TTL value of zero immediately before an interface is down. 

All Cisco devices receive and process CDP packets, caching the information in the packet. If there are changes from the last received packet, the new information is cached, and the older information is discarded, even if its TTL value has not expired.

See also  What is PSIRT- Product Security Incident Response Team?

Summary of CVE-2022-20968

  • CVSS Score: 8.1 
  • Severity: High 
  • Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2022-20986 is a security vulnerability present in Cisco IP Phones. An unauthenticated attacker could exploit this vulnerability close to the device. The attacker could cause a stack overflow on the affected device by sending malicious Cisco Discovery Protocol packets. 

The vulnerability is due to a lack of proper input validation when processing such packets. If the exploit is successful, it could result in a denial of service (DoS) condition or allow the attacker to execute code on the affected device remotely. 

Products Vulnerable to CVE-2022-20968

The following are the products affected by CVE-2022-20968:

  • IP Phone 7800 Series
  • IP Phone 8800 Series (except Cisco Wireless IP Phone 8821)

How to Fix CVE-2022-20968- Stack Overflow Vulnerability in Cisco IP Phones?

To address this Stack Overflow Vulnerability in Cisco IP Phones, Cisco advises upgrading the current phone software to the latest one. Cisco has released free software updates that you can obtain through their usual update channels, provided you have service contracts that entitle them to regular software updates.

 

See Also How to Fix CVE-2022-4135- A Heap Buffer Overflow in GPU Component of Chrome

Some key considerations before upgrading the software include: 

  1. Before downloading any software, ensure that you have a valid license and that you only download software versions and feature sets for which you have purchased a license. 
  2. If you have previously purchased software, you can obtain a maintenance upgrade, including security fixes. Still, free security software updates do not entitle you to a new license, additional software feature sets, or major revision upgrades.
  3. To obtain the necessary software updates, visit the Cisco Support and Downloads page on Cisco.com. This page provides information about licensing and downloads and displays your device support coverage if you use the My Devices tool.
  4. You should regularly consult the advisories for Cisco products, which are available on the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. 
  5. Before upgrading, you should also confirm that your device contains sufficient memory and that the new release supports the current hardware and software configurations properly.
  6. If you are uncertain about any aspect of the upgrade process, you should contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers for assistance.
See also  Three BGP Message Parsing Vulnerabilities in FRRouting Protocol Suite

How to Upgrade Cisco IP Phone Firmware 14.2.1?

To upgrade Cisco IP Phone firmware 14.2.1, follow the steps given below: 

How to Upgrade Cisco IP Phone Firmware 14.2.1?

  1. Determine the Model and Version1. Press the Applications button on your Cisco IP Phone.
    2. Navigate to Status using the Navigation cluster button and Select.
    3. Select Product information from the given options and then press Select.
    4. Take note of your phone’s product name/model number.

    Determine the Model and Version
  2. Download the Latest Firmware1. Go to the Downloads page of the Cisco website on your computer.
    2. Choose Products, then go to the Collaboration Endpoints, then IP Phones, and then IP Phone 3. 8800 Series or IP Phone 7800 Series.
    4. Select the exact model of your device.
    5. Click the Session Initiation Protocol (SIP) Software link as the Software Type.
    Choose the software you need to download for your product.
    6. Click Download.
    7. Read the Cisco End User License Agreement link and click Accept License Agreement.
    8. Extract the downloaded file and take note of the location where it is extracted.Download the Latest Firmware
  3. Upgrade the Firmware1. Determine the IP address of your IP Phone by pressing the Applications button.
    2. Navigate to Status and press Select.
    3. Navigate to Network status and press Select.
    4. Look for the IP address and take note of it.
    5. Launch a browser on your computer and enter the following format in the Address bar: http://<phone_ip>/admin/upgrade?<schema>://<serv_ip[: port]>/filename, then press the Enter key.


    Note: Wait for the phone to finish upgrading. The phone may restart a couple of times during the firmware upgrade process. Do not power down the phone while the process is in progress.

    Upgrade the Firmware
  4. Verify the Firmware Version1. Press the Applications button on your IP Phone.
    2. Navigate to Status and press Select.
    3. Navigate to Product information and press Select.
    4. Check the Software version area and verify that the software you downloaded is now on the phone.

    Verify the Firmware Version
See also  Want to Boost Your Content Creation Skills? Try These 7 AI Websites to Make Your Life Easier

Wrapping Up 

CVE-2022-20968 is a high-risk software vulnerability that should be addressed immediately. To fix this Stack Overflow Vulnerability in Cisco IP Phones, Cisco suggests upgrading the versions. To help you learn how to fix CVE-2022-20968, we have mentioned detailed steps above that you can follow and stay safe. 

Leave a Reply

Your email address will not be published. Required fields are marked *