CVE-2022-20660

Cisco IP Phones Information Disclosure Vulnerability

CVSS 4.6 MEDIUMEPSS 0.4%CWE-312

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.6EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

14 ene 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Productos afectados

Cisco · Cisco Session Initiation Protocol (SIP) Software

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html http://seclists.org/fulldisclosure/2022/Jan/34 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA