Cisco has released a new security advisory warning of a high-severity flaw affecting IP Phone 7800 and 8800 Series firmware that could be potentially exploited by an unauthenticated attacker to cause remote code execution or a denial-of-service (DoS) condition.
The networking equipment major said it’s working on a patch to address the vulnerability, which is tracked as CVE-2022-20968 (CVSS score: 8.1) and stems from a case of insufficient input validation of received Cisco Discovery Protocol (CDP) packets.
CDP is a proprietary network-independent protocol that is used for collecting information related to nearby, directly connected devices such as hardware, software, and device name, among others. It’s enabled by default.
“An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device,” the company said in an alert published on December 8, 2022.
“A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.”
images from Hacker News