Cisco rolls out on Wednesday Security update To address a critical defect affecting IP Phone 6800, 7800, 7900, and 8800 series products.
This vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is a command injection in the web-based administration interface due to insufficient validation of user input. It’s described as a bug.
Successful exploitation of this bug could allow an unauthenticated, remote attacker to inject arbitrary commands that would be executed with elevated privileges on the underlying operating system.
“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.” Cisco Said In an alert issued on March 1, 2023.
The company also patched a severe denial of service (DoS) vulnerability affecting the same set of devices, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
CVE-2023-20079 (CVSS score: 7.5) is also a result of insufficient validation of user input in the web-based administration interface and can be exploited by adversaries to cause a DoS condition.
Cisco has released Cisco Multiplatform Firmware Version 11.3.7SR1 to address CVE-2023-20078, but will fix CVE-2023-20079 as both models of Unified IP Conference Phones have reached end of life (EoL).
The company said it was not aware of any malicious exploitation attempts targeting the flaw.It also said the flaw was discovered during internal security testing.
This advisory was issued when Aruba Networks, a subsidiary of Hewlett Packard Enterprise, released an update to ArubaOS. to repair Multiple unauthenticated command injection and stack-based buffer overflow flaws (CVE-2023-22747 to CVE-2023-22752, CVSS score: 9.8) may lead to code execution.