Cisco has disclosed today a high-severity vulnerability affecting the latest generation of its IP phones and exposing them to remote code execution and denial of service (DoS) attacks.

The company warned on Thursday that its Product Security Incident Response Team (PSIRT) is "aware that proof-of-concept exploit code is available" and that the "vulnerability has been publicly discussed."

However, Cisco's PSIRT added that it is not yet aware of any attempts to exploit this flaw in attacks.

Cisco has not released security updates to address this bug before disclosure and says that a patch will be available in January 2023. 

CVE-2022-20968, as the security flaw is tracked, is caused by insufficient input validation of received Cisco Discovery Protocol packets, which unauthenticated, adjacent attackers can exploit to trigger a stack overflow.

Affected devices include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.

Mitigation available for some devices

While a security update to address CVE-2022-20968 or a workaround are not yet available, Cisco provides mitigation advice for admins who want to secure vulnerable devices in their environment from potential attacks.

This requires disabling the Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices that also support Link Layer Discovery Protocol (LLDP) for neighbor discovery.

"Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on," Cisco explained in a security advisory published Thursday.

"This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise."

Admins who want to deploy this mitigation are advised to test its effectiveness and applicability for their environment.

Cisco warned that "customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment."

The information contained in this website is for general information purposes only. The information is gathered from BleepingComputer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.