Attackers could foist manipulated updates on Cisco admins

Attackers could attack Cisco network hardware and software and, in the worst case, execute their own code. No gap is classified as critical. Security updates are available. Admins can find more information about the patches in the warning messages linked below this message.

Malicious code update

Due to an insufficient cryptographic signature check, attackers could foist an update manipulated with malicious code on to admins of Cisco Enterprise NFV Infrastructure Software (NFVIS). After installing such an update, NFVIS systems are considered completely compromised.

The vulnerability (CVE-2022-20929) has a threat level of “high“ classified. NFVIS is said to be compromised by default. This can be remedied by installing the ones protected against the attack Version 4.9.1.

Man-in-the-middle attack

Cisco Expressway-C and TelePresence VCS are experiencing SSL certificate validation failures (CVE-2022-20814 “high“) , attackers could hook into connections. In this position, they could look at unencrypted information. Also, an attacker could trick victims into clicking a special link to trigger a reboot of systems (CVE-2022-20853 “high“).

In addition, attacks on the ATA 190 Series, BroadWorks Hosted Thin Receptionist and Secure Web Appliance, among others, are still possible. Attackers could bypass filters or gain higher user rights here.

List sorted by threat level in descending order:

• Cisco Enterprise NFV Infrastructure Software Improper Signature Verification
• Cisco Expressway Series and Cisco TelePresence Video Communication Server
• Cisco Touch 10 Devices Insufficient Identity Verification
• Cisco Touch 10 devices downgrade
• Cisco BroadWorks Hosted Thin Receptionist Cross-Site Scripting
• Cisco ATA 190 Series Analog Telephone Adapter Software
• Cisco Secure Web Appliance Content Encoding Filter Bypass
• Cisco Jabber Client Software Extensible Messaging and Presence Protocol Stanza Smuggling
• Cisco Smart Software Manager On-Prem Privilege Escalation