CVE-2022-20660

Cisco IP Phones Information Disclosure Vulnerability

CVSS 4.6 MEDIUMEPSS 0.4%CWE-312

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.6EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

14 jan 2022Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Produtos afetados

Cisco · Cisco Session Initiation Protocol (SIP) Software

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html http://seclists.org/fulldisclosure/2022/Jan/34 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA