Cisco released updates this week to address a new set of significant security flaws in the Expressway Series and Cisco TelePresence Video Communication Server (VCS) that might allow a hacker to obtain elevated access and run arbitrary code.
The two vulnerabilities are CVE-2022-20754 and CVE-2022-20755 (CVSS scores of 9.0). They are related to an arbitrary file write and command injection flaw in two products’ API and web-based administration interfaces, respectively, and might have catastrophic consequences for vulnerable systems. According to the company, both flaws stem from a lack of input validation of user-supplied command arguments, a weakness that a remote attacker could exploit to carry out directory traversal attacks, overwrite arbitrary files, and run malicious code as the root user on the underlying operating system.
“These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG),” the company said in its alert released on Wednesday. Cisco also resolved three more weaknesses. They were in StarOS, Cisco Identity Services Engine RADIUS Service, and Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure software.
- CVE-2022-20665 (CVSS score of 6.0) – An attacker with administrator credentials might use a command injection vulnerability in Cisco StarOS to run arbitrary code with root privileges.
- CVE-2022-20756 (CVSS score of 8.6) – A denial-of-service (DoS) flaw affecting Cisco ISE’s (Identity Services Engine) RADIUS feature.
- CVE-2022-20762 (CVSS score of 7.8) – A privilege escalation problem in Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure (SMI) software’s Common Execution Environment (CEE) ConfD CLI that might allow an authorized, local attacker to escalate to root privileges.
Cisco further stated that the vulnerabilities were discovered via internal security testing or during the settlement of a Cisco Technical Assistance Center (TAC) support issue. No evidence of malicious exploitation of flaws was found. Customers are encouraged to upgrade to the most recent versions as soon as possible to avoid any potential in-the-wild attacks.