Main Vulnerability Database SB2022061618

SB2022061618 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Cisco IP Phones

Published: June 16, 2022

Security Bulletin ID SB2022061618

Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2022-20817)

The vulnerability allows a remote attacker to impersonate another user's phone.

The vulnerability exists due to due to improper key generation during the manufacturing process that could result in duplicated manufactured keys installed on multiple devices. A remote attacker can perform a machine-in-the-middle attack and impersonate another user's phone if the Cisco Unified Communications Manager (CUCM) is in secure mode.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cp6901-dup-cert-82jdJGe4

SB2022061618 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Cisco IP Phones

Breakdown by Severity

Description

Remediation

References

Please verify you're human