A zero-day vulnerability has been identified in the Cisco Discovery Protocol processing feature of Cisco IP Phone series 7800 and 8800 firmware. Although a security advisory has been released by Cisco that discloses this high severity flaw, they have not yet released an update to patch it. An update is due to be released in January 2023, expected to be Cisco IP Phone version 14.2(1). Until the release these devices are currently vulnerable as no official workarounds have been published by Cisco either. 

The vulnerability tracked as CVE-2022-20968 is a high severity flaw with a CVSS base score of 8.8. This flaw occurs due to insufficient input validation of received Cisco Discovery Protocol packets due to an out of bounds write on the device. This can allow for an adjacent attacker to cause a stack overflow by sending in specifically crafted Cisco Discovery Protocol traffic to exploit this vulnerability. This stack overflow could result in remote code execution on the affected device, or a crash causing denial of service (DoS). Although this vulnerability has been publicly disclosed, and proof of concept (PoC) code is believed to be released, the Cisco Product Security Incident Response Team (PSIRT) have stated that they are not aware of any exploit attempts of this flaw in the wild. 

As there is currently no security update or workaround to address this flaw, admins can implement some of Cisco’s mitigation advice to secure vulnerable devices from potential attacks. Affected Cisco IP Phone 7800 and 8800 devices that support Link Layer Discovery protocol (LLDP) for neighbour discovery can have the Cisco Discovery Protocol disabled, as this is a key protocol in the exploit attack. The devices can then use LLDP for configuration data discovery, including voice VLAN and power negotiation. However this change should only be made if it is essential for the device to be secured before the update is released next month.