CVE-2022-20813 The API and web-based interface of Cisco Expressway and VCS could be vulnerable to remote attackers overwriting arbitrary files or conducting null byte poisoning attacks.

The vulnerabilities are due to insufficient input validation of user-supplied inputs. An attacker could exploit these vulnerabilities to execute arbitrary code, obtain full control of an affected system, or upgrade the system to a vulnerable version. Cisco has released software updates to fix these vulnerabilities. End users who detect these attacks should immediately upgrade to the latest software versions. Cisco has announced plans to discontinue the Cisco Expressway Series and Cisco TelePresence Video Communication Server. If you currently use these products, you should contact your vendor to evaluate the availability of updated versions. Cisco has also announced plans to discontinue Cisco TelePresence Interoperability Program (VTIPP) endpoints. If you currently use Cisco VTIPP endpoints, you should contact your vendor to evaluate the availability of updated versions. Cisco has announced plans to discontinue the Cisco TelePresence Management (TMS) software. If you currently use Cisco TMS, you should contact your vendor to evaluate the availability of updated versions. Cisco has announced plans to discontinue Cisco TelePresence Application Programming Interface (TEAP) specifications. If you currently use Cisco TEAP, you should contact your vendor to evaluate the availability of updated versions. Cisco has announced plans to discontinue Cisco TelePresence Device (TDD) specifications

Cisco TelePresence Expressway Series

The Cisco TelePresence Expressway Series is a suite of IP-based media server platforms that provides both infrastructure- and application-level services for the delivery of real-time, low-latency video and audio. The Cisco TelePresence Expressway Series enables the deployment of robust, scalable, and secure video applications.

References:

Cisco has announced plans to discontinue Cisco TelePresence Interoperability Program (VTIPP) endpoints. If you currently use Cisco VTIPP endpoints, you should contact your vendor to evaluate the availability of updated versions.
If you currently use Cisco TelePresence Device (TDD) specifications, you should contact your vendor to evaluate the availability of updated versions.

Timeline

Published on: 07/06/2022 21:15:00 UTC
Last modified on: 07/14/2022 16:57:00 UTC

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-overwrite-3buqW8LH
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20813