Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Cisco Systems, Inc products - CVE-2022-20817
Published: June 16, 2022
Vulnerability identifier: #VU64450
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-20817
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Unified IP Phone 6901
ATA 187 Analog Telephone Adapter
Unified IP Phone 8945
Unified IP Phone 8961
Unified IP Phone 9951
Unified IP Phone 9971
Unified IP Phone 6911
Unified IP Phone 6921
Unified IP Phone 6941
Unified IP Phone 6945
Unified IP Phone 6961
Unified IP Phone 8941
Unified IP Phone 6901
ATA 187 Analog Telephone Adapter
Unified IP Phone 8945
Unified IP Phone 8961
Unified IP Phone 9951
Unified IP Phone 9971
Unified IP Phone 6911
Unified IP Phone 6921
Unified IP Phone 6941
Unified IP Phone 6945
Unified IP Phone 6961
Unified IP Phone 8941
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to impersonate another user's phone.
The vulnerability exists due to due to improper key generation during the manufacturing process that could result in duplicated manufactured keys installed on multiple devices. A remote attacker can perform a machine-in-the-middle attack and impersonate another user's phone if the Cisco Unified Communications Manager (CUCM) is in secure mode.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.