• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-20754(5)- Critical Command Injection And Arbitrary Code Execution Vulnerabilities In Cisco Expressway Series And TelePresence VCS
How to Fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS

During their internal security test, Cisco Advanced Security Initiatives Group (ASIG) found two critical vulnerabilities in Cisco Expressway Series and TelePresence Video Communication Server (VCS). Vulnerabilities tracking under the CVE IDs CVE-2022-20754 and CVE-2022-20755 have got a score of 9.0 as per the CVSS 3.0 scoring system. Research says that successful exploitation of these vulnerabilities could allow an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. This ability makes these vulnerabilities critical and forces potential victims to fix them as soon as possible. Let’s see how to fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS?

Summary Of The CVE-2022-20754 Vulnerability:

An Arbitrary Code Execution Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Associated CVE IDCVE-2022-20754
DescriptionA Arbitrary Code Execution Vulnerability in Cisco Expressway Series and TelePresence VCS
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)Low

Summary Of The CVE-2022-20755 Vulnerability:

A Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS

This vulnerability exists in the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS. It allows an advisory to write files or execute arbitrary code on the operating system of an affected device with root privileges. However, advisories should need read/write access to exploit the vulnerability.

Cisco says, “This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by authenticating the system as an administrative user and then submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”

Associated CVE IDCVE-2022-20755
DescriptionA Command Injection Vulnerability in Cisco Expressway Series and TelePresence VCS
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)Low

Products Affected By The Command Injection And Arbitrary Code Execution Vulnerabilities:

These vulnerabilities affect the Cisco Expressway Series and Cisco TelePresence VCS Release earlier than 14.0. Those who are using Cisco Expressway Series and Cisco TelePresence VCS are encouraged to check their versions and fix the CVE-2022-20754 and CVE-2022-20755 vulnerabilities as soon as possible.

How To Fix CVE-2022-20754 And CVE-2022-20755?

Cisco has rolled out a patch to fix CVE-2022-20754 and CVE-2022-20755 vulnerabilities- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS (Video Communication Server). Users of these products need to upgrade their products to v14.0.5 to fix these vulnerabilities.

How To Upgrade Cisco Expressway Series And TelePresence VCS?

Follow this simple procedure to upgrade Cisco Expressway Series and TelePresence VCS. Please ensure you have a backup before proceeding with this upgrade process and the potential impact of this process.

Note:
1. In the cluster setup, upgrade the primary Cisco Expressway Series and TelePresence VCS first, followed by secondary nodes.

2. Check the prerequisites and dependencies from here before proceeding upgrade.

3. Ensure you have the VMware ESXI team with you to check the status of services after reboot or to troubleshoot in case of any issues. 

4. Take the snapshot backup or at least file backup to revert or restore the changes in case of issues.

  1. Create a system backup file

    Navigate to Maintenance > Backup and Restore as shown in the image.
    Enter your desired password, then click on Create system backup file to download the password-protected backup file.

    Create system backup file of Cisco Expressway Series and TelePresence VCS

  2. Collect xConfiguration backup

    This helps in re-configuring the configuration settings in case of configuration issues.

    Run this command in the command prompt of the VCS/Expressway Servers.

    xconfiguration

    Collect xConfiguration backup of Cisco Expressway Series and TelePresence VCS

  3. Upgrade Cisco Expressway Series and TelePresence VCS:

    1. Download the package from here.
    2. Contact the Cisco Licensing team or visit here to get the Release key for upgrade.
    3. Navigate to Maintenance > Maintenance mode and then set Maintenance mode to On, select Save and Ok on the confirmation dialog.
    4. Wait for all calls to clear and registrations to timeout.
    5. Then Navigate to Maintenance > Upgrade.
    6. Browse the downloaded upgrade file and click the Upgrade button.

    Upgrade Cisco Expressway Series and TelePresence VCS

  4. Verify the upgradation

    Navigate to Expressway GUI > Status > Overview to verify the upgradation was successful.

    Verify the upgradation Cisco Expressway Series and TelePresence VCS

We hope this post will help you know How to Fix CVE-2022-20754(5)- Critical Command Injection and Arbitrary Code Execution Vulnerabilities in Cisco Expressway Series and TelePresence VCS. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.