Cisco has disclosed a high-severity vulnerability impacting its IP Phone 7800 and 8800 Series.
Tracked as CVE-2022-20968, an unauthenticated attacker can trigger the flaw to cause a stack overflow on an affected device, leading to remote code execution and denial of service attacks.
The vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this flaw by sending specially crafted Cisco Discovery Protocol packets to an affected device.
Cisco PSIRT is aware of the availability of a proof-of-concept exploit code for this vulnerability and is not aware of any malicious use of the vulnerability that is described in this advisory.
Currently, no workaround is available and only provided mitigation for this issue. Cisco recommends disabling the Cisco Discovery Protocol on affected IP phones that also support Link Layer Discovery Protocol (LLDP) for neighbor discovery. The devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiations.
Cisco planned to address this flaw in January 2023.