Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-20817

A vulnerability in Cisco Unified IP Phones could allow an unauthenticated, remote attacker to impersonate another user's phone if the Cisco Unified Communications Manager (CUCM) is in secure mode. This vulnerability is due to improper key generation during the manufacturing process that could result in duplicated manufactured keys installed on multiple devices. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on the secure communication between the phone and the CUCM. A successful exploit could allow the attacker to impersonate another user's phone. This vulnerability cannot be addressed with software updates. There is a workaround that addresses this vulnerability.

Published

2022-06-15T18:15:08.997

Last Modified

2024-11-21T06:43:36.787

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-338
Type: Primary
CWE-338

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	unified_ip_phone_6911_firmware	-	Yes
Hardware	cisco	unified_ip_phone_6911	-	No
Operating System	cisco	unified_ip_phone_6921_firmware	-	Yes
Hardware	cisco	unified_ip_phone_6921	-	No
Operating System	cisco	unified_ip_phone_6941_firmware	-	Yes
Hardware	cisco	unified_ip_phone_6941	-	No
Operating System	cisco	unified_ip_phone_6945_firmware	-	Yes
Hardware	cisco	unified_ip_phone_6945	-	No
Operating System	cisco	unified_ip_phone_6961_firmware	-	Yes
Hardware	cisco	unified_ip_phone_6961	-	No
Operating System	cisco	unified_ip_phone_8941_firmware	-	Yes
Hardware	cisco	unified_ip_phone_8941	-	No
Operating System	cisco	unified_ip_phone_8945_firmware	-	Yes
Hardware	cisco	unified_ip_phone_8945	-	No
Operating System	cisco	unified_ip_phone_8961_firmware	-	Yes
Hardware	cisco	unified_ip_phone_8961	-	No
Operating System	cisco	unified_ip_phone_9951_firmware	-	Yes
Hardware	cisco	unified_ip_phone_9951	-	No
Operating System	cisco	unified_ip_phone_9971_firmware	-	Yes
Hardware	cisco	unified_ip_phone_9971	-	No
Operating System	cisco	ata_187_analog_telephone_adapter_firmware	*	Yes
Hardware	cisco	ata_187_analog_telephone_adapter	-	No

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cp6901-dup-cert-82jdJGe4 Vendor Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cp6901-dup-cert-82jdJGe4 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)