Flaws found in Cisco

Various flaws in the API and web-based management interface of Cisco TelePresence Video Communication Server (VCS) Software and Cisco Expressway Series Software can permit remote actors to dodge certificate authentication or execute cross-site request forgery attacks on targeted devices.

About the first bug

The first bug, tracked as CVE-2022-20814, is an improper certification validation problem, a remote, unauthorized actor can activate it to access critical information via a man-in-the-middle attack.

A bug in the certificate validation of Cisco TelePresence VCS and Cisco Expressway-C could permit a malicious, remote actor to have unauthenticated access to sensitive information.

The flaw is due to no validation of the SSL server certificate for an impacted device while it builds a connection to a Cisco Unified Communications Manager device.

The Cisco advisory says: “An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic.”

About the second bug

The second vulnerability, tracked CVE-2022-20853 is cross-site request forgery (CSRF) that can be compromised to launch a denial of service (DoS) state by luring the victim to open a specially crafted link.

The Cisco PSIRT did not say anything about attacks in the wild exploiting these bugs or any public announcements.