Cisco fixed two critical flaws in Expressway, TelePresence VCS solutions

Cisco fixed critical flaws in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.

Cisco announced security patches for a couple of critical vulnerabilities, tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS score of 9.0), in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.

“Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.” reads the advisory published by the IT giant.

A remote, authenticated attacker with read/write privileges to the vulnerable application can exploit the vulnerabilities to write files or execute arbitrary code on the underlying operating system with root privileges.

The CVE-2022-20754issue is an arbitrary file write vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it could be exploited to conduct directory traversal attacks and overwrite files on the underlying operating system. This flaw was caused by insufficient input validation of user-supplied command arguments.

“A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with read/write privileges to the application to conduct directory traversal attacks and overwrite files on the underlying operating system of an affected device as the root user.” continues the advisory. “An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

The CVE-2022-20755 flaw is a command injection vulnerability in Cisco Expressway Series and Cisco TelePresence VCS, it resides in their web-based management interface and could allow an authenticated, remote attacker with read/write privileges to the application to execute arbitrary code on the underlying operating system of an affected device as the root user.

“This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then submitting crafted input to the affected command.” continues the advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.”

Both vulnerabilities have been addressed with the release of the 14.0.5 version.

The company is not aware of attacks exploiting these vulnerabilities in the wild.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Code execution issue)

[adrotate banner=”5″]

[adrotate banner=”13″]