Vulnerability Data

CVE-2022-20660

Track security vulnerabilities

A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks.

Published at
2022-01-14
2 days ago
Modified
2022-01-14
2 days ago
2022
Year
The year of the turtle

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA

CISCO:20220113 Cisco IP Phones Information Disclosure Vulnerability

Read More about itMore info

http://seclists.org/fulldisclosure/2022/Jan/34

FULLDISC:20220114 SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones

Read More about itMore info

Vulnerability RAW

{
	"Title": {
		"_text": "CVE-2022-20660"
	},
	"Notes": {
		"Note": [
			{
				"_text": "A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks."
			},
			{
				"_text": "2022-01-14"
			},
			{
				"_text": "2022-01-14"
			}
		]
	},
	"CVE": {
		"_text": "CVE-2022-20660"
	},
	"References": {
		"Reference": [
			{
				"URL": {
					"_text": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA"
				},
				"Description": {
					"_text": "CISCO:20220113 Cisco IP Phones Information Disclosure Vulnerability"
				}
			},
			{
				"URL": {
					"_text": "http://seclists.org/fulldisclosure/2022/Jan/34"
				},
				"Description": {
					"_text": "FULLDISC:20220114 SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones"
				}
			}
		]
	}
}