Cisco Expressway-C and TelePresence VCS Vulnerability: Unauthorized Access to Sensitive Data possible via SSL Certificate Validation Flaw

CVE-2022-20814

7.4HIGH

Key Information

Vendor
Cisco
Status
Cisco Telepresence Video Communication Server (vcs) Expressway
Vendor
CVE Published:
15 November 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the certificate validation of Cisco Expressway-C and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.  The vulnerability is due to a lack of validation of the SSL server certificate that an affected device receives when it establishes a connection to a Cisco Unified Communications Manager device. An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices, and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic. Note: Cisco Expressway-E is not affected by this vulnerability.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected Version(s)

Cisco TelePresence Video Communication Server (VCS) Expressway = X8.11.2

Cisco TelePresence Video Communication Server (VCS) Expressway = X8.6

Cisco TelePresence Video Communication Server (VCS) Expressway = X8.11.3

Refferences

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.