Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-20754(5)- Critical Command Injection And Arbitrary Code Execution Vulnerabilities In Cisco Expressway Series And TelePresence VCS
March 4, 2022
|
5m

How To Fix CVE-2022-20754(5)- Critical Command Injection And Arbitrary Code Execution Vulnerabilities In Cisco Expressway Series And TelePresence VCS


How To Fix Cve 2022 207545 Critical Command Injection And Arbitrary Code Execution Vulnerabilities In Cisco Expressway Series And Telepresence Vcs

During their internal security test, Cisco Advanced Security Initiatives Group (ASIG) found two critical vulnerabilities in Cisco Expressway Series and TelePresence Video Communication Server (VCS). Vulnerabilities tracking under the CVE IDs CVE-2022-20754 and CVE-2022-20755 have got a score of 9.0 as per the CVSS 3.0 scoring system. Research says that successful exploitation of these vulnerabilities could allow an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. This ability makes these vulnerabilities critical and forces potential victims to fix them as soon as possible. Let’s see how to fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS?

Summary Of The CVE-2022-20754 Vulnerability:

An Arbitrary Code Execution Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Associated CVE IDCVE-2022-20754
DescriptionA Arbitrary Code Execution Vulnerability in Cisco Expressway Series and TelePresence VCS
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)Low

Summary Of The CVE-2022-20755 Vulnerability:

A Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Associated CVE IDCVE-2022-20755
DescriptionA Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)Low

Products Affected By The Command Injection And Arbitrary Code Execution Vulnerabilities:

These vulnerabilities affect the Cisco Expressway Series and Cisco TelePresence VCS Release earlier than 14.0. Those who are using Cisco Expressway Series and Cisco TelePresence VCS are encouraged to check their versions and fix the CVE-2022-20754 and CVE-2022-20755 vulnerabilities as soon as possible.

How To Fix CVE-2022-20754 And CVE-2022-20755?

Cisco has rolled out a patch to fix CVE-2022-20754 and CVE-2022-20755 vulnerabilities- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS (Video Communication Server). Users of these products need to upgrade their products to v14.0.5 to fix these vulnerabilities.

How To Upgrade Cisco Expressway Series And TelePresence VCS?


Follow this simple procedure to upgrade
Cisco Expressway Series and TelePresence VCS. Please ensure you have a backup before proceeding with this upgrade process and the potential impact of this process.

Note:
1. In the cluster setup, upgrade the primary
Cisco Expressway Series and TelePresence VCS first, followed by secondary nodes.
2. Check the prerequisites and dependencies from 
here before proceeding upgrade.
3. Ensure you have the VMware ESXI team with you to check the status of services after reboot or to troubleshoot in case of any issues. 
4. Take the snapshot backup or at least file backup to revert or restore the changes in case of issues.

Step 1. Create a system backup file

Navigate to Maintenance > Backup and Restore as shown in the image.Enter your desired password, then click on Create system backup file to download the password-protected backup file.

Step 2. Collect xConfiguration backup

This helps in re-configuring the configuration settings in case of configuration issues.
Run this command in the command prompt of the VCS/Expressway Servers.

xconfiguration

Step 3. Upgrade Cisco Expressway Series and TelePresence VCS:

1. Download the package from here.2. Contact the Cisco Licensing team or visit here to get the Release key for upgrade.3. Navigate to Maintenance > Maintenance mode and then set Maintenance mode to On, select Save and Ok on the confirmation dialog.4. Wait for all calls to clear and registrations to timeout.5. Then Navigate to Maintenance > Upgrade.6. Browse the downloaded upgrade file and click the Upgrade button.

Step 4. Verify the upgradation

Navigate to Expressway GUI > Status > Overview to verify the upgradation was successful.

We hope this post would help you know How to Fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe