Cisco patches critical bugs in collaboration products
Attackers could exploit the flaw to run their own code on Cisco's video conferencing servers
Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.
Each bug affects the company's Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).
The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products' cluster database API, which doesn't properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.
The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products' web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.
These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.
Cisco Expressway is a series of devices supporting collaboration with users outside of a company's firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others' presence information.
RELATED RESOURCE
The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer's premises or in the cloud, and supports communication between different video conferencing platforms.
TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.
-
Why AI 'workslop' is bad for businessIn-depth Poorly-generated AI content is having a financial impact on businesses, slowing productivity, and creating friction between employees
-
Cisco looks to showcase “unique value” with revamped 360 Partner ProgramNews Cisco has unveiled a revamped partner framework to help partners capitalize on growing AI-driven customer demand
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Cisco says Chinese hackers are exploiting an unpatched AsyncOS zero-day flaw – here's what we know so farNews The zero-day vulnerability affects Cisco's Secure Email Gateway and Secure Email and Web Manager appliances – here's what we know so far.
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
