March 1, Cisco released security updates to eliminate a critical vulnerability that affects its IP-telephones of the 6800, 7800, 7900 and 8800.
Vulnerability tracked under the CVE-2023-20078 identifier has a 9.8 out of 10 rating in the CVSS assessment system and is described as “the error of introducing the command in the management web interface arising due to insufficient verification of the data entered by the user.” The successful use of this vulnerability can allow a remote unauthorized attacker to perform arbitrary commands with the highest privileges in the basic operating system.
Cisco also corrected the DOS-vascularity of a high degree of criticality, which affects the same set of devices, as well as a unified IP-telephone for the Cisco 8831 conference and unified IP-telephone 7900.
Vulnerability CVE-2023-20079 (CVSS: 7.5), which is also the result of insufficient verification of data entered by the user in the control web interface, can also be used by cybercriminals for DOS attacks.
Despite the fact that Cisco has released a multi-platform microgram support of version 11.3.7SR1 to eliminate the CVE-2023-20078, the company said that it does not plan to correct the vulnerability of the CVE-2023-20079, since the service life of both models of unified IP-telephones for conferences -In already expired. Recall that the company quite often does not want to eliminate vulnerabilities in old equipment, motivating its customers to purchase new devices.
as , as said Both vulnerabilities were discovered during internal security testing Cisco, and the hackers have not yet managed to apply them in real attacks.