Cisco released security updates for TelePresence, RoomOS, and Umbrella VA

Cisco has released security updates to address three high-severity vulnerabilities in its products that could be exploited to cause a denial-of-service (DoS) condition and take control of affected systems.

In the first of the three flaws, CVE-2022-20783 (CVSS score: 7.5), an unauthenticated, remote attacker can send specially crafted traffic to the devices via Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS software due to a lack of proper input validation.

Using a successful exploit, an attacker could cause the affected device to either reboot normally or reboot into maintenance mode, which could result in a DoS condition on the device," the company said in an advisory.

The National Security Agency of the United States is credited with finding and reporting the flaw (NSA). Versions 9.15.10.8 and 10.11.2.2 of the Cisco TelePresence CE software fix the problem.

An SSH host key vulnerability, CVE-2022-20773 (CVSS score: 7.5), has been patched in Cisco Umbrella Virtual Appliance (VA) software versions prior to 3.3.2, allowing an attacker to perform a man-in-the-middle (MitM) attack on an SSH connection in order to steal the administrator credentials.

An authenticated, a local attacker can escalate privileges on devices due to a third, extremely serious vulnerability in Cisco Virtualized Infrastructure Manager (CVE-2022-20732, CVSS score: 7.8). Version 4.2.2 of the software has fixed the issue.

"To view and modify the database's contents, an attacker would need credentials obtained through a successful exploit. In order to gain access to the database, the attacker could use this to gain access to the affected device "According to the company, this is the case.

There are ten moderately serious issues that Cisco is working to resolve across a wide range of its products such as Webex Meetings and Unified Communications Products as well as Umbrella Secure Web Gateway and IOS XR software.