Security News > 2022 > December > Vulnerability with public PoC affects Cisco IP phones, fix unavailable (CVE-2022-20968)
A high-risk stack overflow vulnerability may allow attackers to DoS or possibly even execute code remotely on Cisco 7800 and 8800 Series IP phones, the company has confirmed.
Cisco's PSIRT is also aware that proof-of-concept exploit code is available for the vulnerability and that the flaw has been publicly discussed, but they are not aware of active attacks exploiting it.
Cisco IP Phone 7800 and 8800 Series are enterprise-grade devices for video and voice communication.
"This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device," the company explained.
The flaw affects the entirety of the IP Phone 7800 Series and all devices in the IP Phone 8800 Series except Cisco Wireless IP Phone 8821.
"There are no workarounds that address this vulnerability. However, there is a mitigation that addresses this vulnerability for deployments that support both Cisco Discovery Protocol and Link Layer Discovery Protocol for neighbor discovery. Administrators may disable Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices. Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on," Cisco advised, but warned that making this change is not trivial.