Flaws found in Cisco
Various flaws in the API and web-based management interface of Cisco TelePresence Video Communication Server (VCS) Software and Cisco Expressway Series Software can permit remote actors to dodge certificate authentication or execute cross-site request forgery attacks on targeted devices.
About the first bug
The first bug, tracked as CVE-2022-20814, is an improper certification validation problem, a remote, unauthorized actor can activate it to access critical information via a man-in-the-middle attack.
A bug in the certificate validation of Cisco TelePresence VCS and Cisco Expressway-C could permit a malicious, remote actor to have unauthenticated access to sensitive information.
The flaw is due to no validation of the SSL server certificate for an impacted device while it builds a connection to a Cisco Unified Communications Manager device.
The Cisco advisory says: "An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic.”
About the second bug
The second vulnerability, tracked CVE-2022-20853 is cross-site request forgery (CSRF) that can be compromised to launch a denial of service (DoS) state by luring the victim to open a specially crafted link.
"A vulnerability in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” states the advisory.
“This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload."
The Cisco PSIRT did not say anything about attacks in the wild exploiting these bugs or any public announcements.