Vulnerability Details : CVE-2022-20817
A vulnerability in Cisco Unified IP Phones could allow an unauthenticated, remote attacker to impersonate another user's phone if the Cisco Unified Communications Manager (CUCM) is in secure mode. This vulnerability is due to improper key generation during the manufacturing process that could result in duplicated manufactured keys installed on multiple devices. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on the secure communication between the phone and the CUCM. A successful exploit could allow the attacker to impersonate another user's phone. This vulnerability cannot be addressed with software updates. There is a workaround that addresses this vulnerability.
Products affected by CVE-2022-20817
- cpe:2.3:o:cisco:unified_ip_phone_6961_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6945_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6941_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6921_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6911_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8961_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8945_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8941_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_9971_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_9951_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ata_187_analog_telephone_adapter_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-20817
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-20817
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:N |
4.9
|
4.9
|
NIST | |
7.4
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
Cisco Systems, Inc. | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST |
CWE ids for CVE-2022-20817
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2022-20817
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cp6901-dup-cert-82jdJGe4
Cisco IP Phone Duplicate Key VulnerabilityVendor Advisory
Jump to