Home > Cloud Security > Cisco Expressway Series and TelePresence VCS Products Receive Critical Patches

Cisco Expressway Series and TelePresence VCS Products Receive Critical Patches

March 4, 2022
CIM Team

Cisco released updates this week to address a new set of significant security flaws in the Expressway Series and Cisco TelePresence Video Communication Server (VCS) that might allow a hacker to obtain elevated access and run arbitrary code.

The two vulnerabilities are CVE-2022-20754 and CVE-2022-20755 (CVSS scores of 9.0). They are related to an arbitrary file write and command injection flaw in two products’ API and web-based administration interfaces, respectively, and might have catastrophic consequences for vulnerable systems. According to the company, both flaws stem from a lack of input validation of user-supplied command arguments, a weakness that a remote attacker could exploit to carry out directory traversal attacks, overwrite arbitrary files, and run malicious code as the root user on the underlying operating system.

“These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG),” the company said in its alert released on Wednesday. Cisco also resolved three more weaknesses. They were in StarOS, Cisco Identity Services Engine RADIUS Service, and Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure software.

CVE-2022-20665 (CVSS score of 6.0) – An attacker with administrator credentials might use a command injection vulnerability in Cisco StarOS to run arbitrary code with root privileges.
CVE-2022-20756 (CVSS score of 8.6) – A denial-of-service (DoS) flaw affecting Cisco ISE’s (Identity Services Engine) RADIUS feature.
CVE-2022-20762 (CVSS score of 7.8) – A privilege escalation problem in Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure (SMI) software’s Common Execution Environment (CEE) ConfD CLI that might allow an authorized, local attacker to escalate to root privileges.

Cisco further stated that the vulnerabilities were discovered via internal security testing or during the settlement of a Cisco Technical Assistance Center (TAC) support issue. No evidence of malicious exploitation of flaws was found. Customers are encouraged to upgrade to the most recent versions as soon as possible to avoid any potential in-the-wild attacks.

About the author

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

Cisco Expressway Series and TelePresence VCS Products Receive Critical Patches

About the author

CIM Team

Share:

Related ARTICLES

CaTEGORIES

Quick Nav

Cisco Expressway Series and TelePresence VCS Products Receive Critical Patches

About the author

CIM Team

Share:

Related ARTICLES

Weekly Cyber Threat Report, May 22-26, 2023

Devastating DDoS Attacks Launched Against Gaming Industry by Dark Frost Botnet

Israeli Logistics Sector Attacked by Iranian Tortoiseshell Hackers

GoldenJackal: New Threat Gang Attacking South Asian And Middle Eastern Governments

CaTEGORIES

Quick Nav