A vulnerability in the certificate validation of Cisco Expressway-C and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.  The vulnerability is due to a lack of validation of the SSL server certificate that an affected device receives when it establishes a connection to a Cisco Unified Communications Manager device. An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices, and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic. Note: Cisco Expressway-E is not affected by this vulnerability.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
History

Fri, 15 Nov 2024 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco telepresence Video Communication Server
CPEs cpe:2.3:a:cisco:telepresence_video_communication_server:-:*:*:*:expressway:*:*:*
Vendors & Products Cisco
Cisco telepresence Video Communication Server
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the certificate validation of Cisco Expressway-C and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.  The vulnerability is due to a lack of validation of the SSL server certificate that an affected device receives when it establishes a connection to a Cisco Unified Communications Manager device. An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices, and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic. Note: Cisco Expressway-E is not affected by this vulnerability.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Title Cisco Expressway Series and Cisco TelePresence VCS Improper Certificate Validation Vulnerability
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-11-15T15:32:47.058Z

Updated: 2024-11-15T21:15:35.408Z

Reserved: 2021-11-02T13:28:29.175Z

Link: CVE-2022-20814

cve-icon Vulnrichment

Updated: 2024-11-15T21:15:24.552Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-15T16:15:22.670

Modified: 2024-11-21T06:43:36.460

Link: CVE-2022-20814

cve-icon Redhat

No data.