How To Fix CVE-2022-20754(5)- Critical Command Injection And Arbitrary Code Execution Vulnerabilities In Cisco Expressway Series And TelePresence VCS

During their internal security test, Cisco Advanced Security Initiatives Group (ASIG) found two critical vulnerabilities in Cisco Expressway Series and TelePresence Video Communication Server (VCS). Vulnerabilities tracking under the CVE IDs CVE-2022-20754 and CVE-2022-20755 have got a score of 9.0 as per the CVSS 3.0 scoring system. Research says that successful exploitation of these vulnerabilities could allow an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. This ability makes these vulnerabilities critical and forces potential victims to fix them as soon as possible. Let’s see how to fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS?

Summary Of The CVE-2022-20754 Vulnerability:

An Arbitrary Code Execution Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Summary Of The CVE-2022-20755 Vulnerability:

A Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Products Affected By The Command Injection And Arbitrary Code Execution Vulnerabilities:

These vulnerabilities affect the Cisco Expressway Series and Cisco TelePresence VCS Release earlier than 14.0. Those who are using Cisco Expressway Series and Cisco TelePresence VCS are encouraged to check their versions and fix the CVE-2022-20754 and CVE-2022-20755 vulnerabilities as soon as possible.

How To Fix CVE-2022-20754 And CVE-2022-20755?

Cisco has rolled out a patch to fix CVE-2022-20754 and CVE-2022-20755 vulnerabilities- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS (Video Communication Server). Users of these products need to upgrade their products to v14.0.5 to fix these vulnerabilities.

How To Upgrade Cisco Expressway Series And TelePresence VCS?

Follow this simple procedure to upgrade Cisco Expressway Series and TelePresence VCS. Please ensure you have a backup before proceeding with this upgrade process and the potential impact of this process.

Note:
1. In the cluster setup, upgrade the primary Cisco Expressway Series and TelePresence VCS first, followed by secondary nodes.
2. Check the prerequisites and dependencies from here before proceeding upgrade.
3. Ensure you have the VMware ESXI team with you to check the status of services after reboot or to troubleshoot in case of any issues. 
4. Take the snapshot backup or at least file backup to revert or restore the changes in case of issues.

Step 1. Create a system backup file

Navigate to Maintenance > Backup and Restore as shown in the image.Enter your desired password, then click on Create system backup file to download the password-protected backup file.

Step 2. Collect xConfiguration backup

This helps in re-configuring the configuration settings in case of configuration issues.
Run this command in the command prompt of the VCS/Expressway Servers.

xconfiguration

Step 3. Upgrade Cisco Expressway Series and TelePresence VCS:

1. Download the package from here.2. Contact the Cisco Licensing team or visit here to get the Release key for upgrade.3. Navigate to Maintenance > Maintenance mode and then set Maintenance mode to On, select Save and Ok on the confirmation dialog.4. Wait for all calls to clear and registrations to timeout.5. Then Navigate to Maintenance > Upgrade.6. Browse the downloaded upgrade file and click the Upgrade button.

Step 4. Verify the upgradation

Navigate to Expressway GUI > Status > Overview to verify the upgradation was successful.

We hope this post would help you know How to Fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.