Fix for high-severity Cisco IP Phone flaw underway

Cisco announced that patches for a high-severity flaw impacting certain IP phone models are set to arrive next month, according to SecurityWeek. Cisco's 7800 and 8800 series of IP phones, aside from 8821, which operate on firmware versions 14.2 and earlier, are affected by the stack buffer overflow vulnerability, tracked as CVE-2022-20968, which could be exploited to facilitate arbitrary code execution or a denial-of-service condition. Despite the absence of any active exploitation of the vulnerability in attacks, threat actors have been discussing the flaw publicly and could leverage the already available proof-of-concept exploit, said Cisco, which offered a mitigation that could be applied amid the wait for an official fix. Cisco received reports on the vulnerability, which involves the Discovery Protocol processing feature, from Qian Chen of Codesafe Team of Legendsec at Chinese cybersecurity firm Qi'anxin Group. Security bugs in Google, Apple, HP Enterprises, Oracle, and Moxa products were previously identified by Qi'anxin Group researchers.