#VU59961 Cleartext storage of sensitive information in Cisco Systems, Inc Hardware solutions


Published: 2022-01-24

Vulnerability identifier: #VU59961

Vulnerability risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20660

CWE-ID: CWE-312

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Cisco Unified IP Conference Phone 8831
Hardware solutions / Office equipment, IP-phones, print servers
Cisco Unified IP Conference Phone 8831 for Third-Party Call Control
Hardware solutions / Office equipment, IP-phones, print servers
Unified IP Phone 7945G
Hardware solutions / Office equipment, IP-phones, print servers
Unified IP Phone 7965G
Hardware solutions / Office equipment, IP-phones, print servers
Unified IP Phone 7975G
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Conference Phone 7832
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Conference Phone 8832
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 7811
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 7821
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 7841
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 7861
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 8811
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 8841
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 8845
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 8851
Hardware solutions / Office equipment, IP-phones, print servers
Unified SIP Phone 3905
Hardware solutions / Office equipment, IP-phones, print servers
Cisco Wireless IP Phone 8821
Hardware solutions / Office equipment, IP-phones, print servers
Cisco Wireless IP Phone 8821-EX
Hardware solutions / Office equipment, IP-phones, print servers
Cisco IP Phone 8861
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco IP Phone 8865
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to unencrypted storage of confidential information. An attacker with physical access can obtain confidential information from the device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cisco Unified IP Conference Phone 8831: All versions

Cisco Unified IP Conference Phone 8831 for Third-Party Call Control: All versions

Unified IP Phone 7945G : All versions

Unified IP Phone 7965G : All versions

Unified IP Phone 7975G : All versions


External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA
http://seclists.org/fulldisclosure/2022/Jan/34
http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability