Flaws found in Cisco
Various flaws in the API and web-based management interface of Cisco TelePresence Video Communication Server (VCS) Software and Cisco Expressway Series Software can permit remote actors to dodge certificate authentication or execute cross-site request forgery attacks on targeted devices.
About the first bug
The first bug, tracked as CVE-2022-20814, is an improper certification validation problem, a remote, unauthorized actor can activate it to access critical information via a man-in-the-middle attack.
A bug in the certificate validation of Cisco TelePresence VCS and Cisco Expressway-C could permit a malicious, remote actor to have unauthenticated access to sensitive information.
The flaw is due to no validation of the SSL server certificate for an impacted device while it builds a connection to a Cisco Unified Communications Manager device.
The Cisco advisory says: “An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic.”
About the second bug
The second vulnerability, tracked CVE
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article:
The post Cisco Patched High Severity Bugs in Networking and Communications Products first appeared on IT Security News.