Cisco has rolled out patches for security flaws across a number of variations of its products and solutions.
The corporation disclosed the patches in an advisory on Wednesday, describing two vulnerabilities, a person of which rated Critical in severity.
“A vulnerability in the cluster database API of Cisco Expressway Sequence and Cisco TelePresence VCS could permit an authenticated, remote attacker with Administrator read-compose privileges on the software to carry out complete route traversal attacks on an affected unit and overwrite data files on the fundamental running process as a root person,” read the advisory.
Cisco clarified these vulnerabilities have an affect on Cisco Expressway Sequence software and Cisco TelePresence VCS software if they are in the default configuration.
Tracked below CVE-2022-20812, the 1st of these two vulnerabilities has a CVSS Foundation Score of 9. and is reportedly owing to inadequate enter validation of person-equipped command arguments.
“An attacker could exploit this vulnerability by authenticating to the system as an administrative study-write person and publishing crafted enter to the affected command.”
A successful exploit could then permit the attacker to overwrite arbitrary data files on the underlying operating process as the root person.
Cisco also dealt with the Expressway Sequence and Cisco TelePresence VCS Null Byte Poisoning Vulnerability (CVE-2022-20813), which has a CVSS Base Score of 7.4.
A vulnerability in the certification validation of the Cisco Expressway Sequence and Cisco TelePresence VCS, this flaw could allow for an unauthenticated, distant attacker to attain unauthorized entry to delicate details.
“This vulnerability is owing to incorrect certification validation. An attacker could exploit this vulnerability by using a man-in-the-center procedure to intercept the traffic concerning products and then utilizing a crafted certification to impersonate the endpoint,” Cisco wrote.
“A effective exploit could permit the attacker to see the intercepted site visitors in very clear text or change the contents of the traffic.”
The firm also explained that the produced software updates deal with both of those vulnerabilities, and system admins need to enhance as soon as feasible as there are no workarounds that can be utilized to address the flaws.
Some components of this short article are sourced from: