ID

VAR-202201-0897


CVE

CVE-2022-20660


TITLE

plural  Cisco IP Phone  Vulnerability related to plaintext storage of important information in models

Trust: 0.8

sources: JVNDB: JVNDB-2022-003510

DESCRIPTION

A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks

Trust: 1.71

sources: NVD: CVE-2022-20660 // JVNDB: JVNDB-2022-003510 // VULMON: CVE-2022-20660

AFFECTED PRODUCTS

vendor:ciscomodel:unified sip phone 3905scope:ltversion:9.4\(1\)sr5

Trust: 1.0

vendor:ciscomodel:unified ip phone 7965gscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ip phone 8845scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:unified ip phone 7945gscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:unified ip conference phone 8831scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ip phone 8865scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip phone 8861scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip phone 7841scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip conference phone 7832scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:unified ip conference phone 8831 for third-party call controlscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ip phone 8841scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:wireless ip phone 8821scope:ltversion:11.0\(6\)sr2

Trust: 1.0

vendor:ciscomodel:ip phone 7811scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip phone 7821scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:unified ip phone 7975gscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ip phone 8811scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:wireless ip phone 8821-exscope:ltversion:11.0\(6\)sr2

Trust: 1.0

vendor:ciscomodel:ip conference phone 8832scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip phone 7861scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:ciscomodel:ip phone 8851scope:ltversion:14.1\(1\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco ip conference phone 7832scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 8811scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 7811scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 8845scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 7861scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 8851scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 7841scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 7821scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:ip phone 8841scope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco ip conference phone 8832scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-003510 // NVD: CVE-2022-20660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20660
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20660
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20660
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202201-905
value: MEDIUM

Trust: 0.6

VULMON: CVE-2022-20660
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-20660
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2022-20660
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-20660
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2022-20660 // JVNDB: JVNDB-2022-003510 // CNNVD: CNNVD-202201-905 // NVD: CVE-2022-20660 // NVD: CVE-2022-20660

PROBLEMTYPE DATA

problemtype:CWE-312

Trust: 1.0

problemtype:Plaintext storage of important information (CWE-312) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-003510 // NVD: CVE-2022-20660

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-905

PATCH

title:cisco-sa-ip-phone-info-disc-fRdJfOxAurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA

Trust: 0.8

title:Cisco IP Phone Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177710

Trust: 0.6

title:Cisco: Cisco IP Phones Information Disclosure Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ip-phone-info-disc-fRdJfOxA

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-20660 // JVNDB: JVNDB-2022-003510 // CNNVD: CNNVD-202201-905

EXTERNAL IDS

db:NVDid:CVE-2022-20660

Trust: 3.3

db:PACKETSTORMid:165567

Trust: 1.7

db:JVNDBid:JVNDB-2022-003510

Trust: 0.8

db:CS-HELPid:SB2022012415

Trust: 0.6

db:CNNVDid:CNNVD-202201-905

Trust: 0.6

db:VULMONid:CVE-2022-20660

Trust: 0.1

sources: VULMON: CVE-2022-20660 // JVNDB: JVNDB-2022-003510 // CNNVD: CNNVD-202201-905 // NVD: CVE-2022-20660

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ip-phone-info-disc-frdjfoxa

Trust: 2.4

url:http://packetstormsecurity.com/files/165567/cisco-ip-phone-cleartext-password-storage.html

Trust: 2.3

url:http://seclists.org/fulldisclosure/2022/jan/34

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-20660

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2022012415

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ip-phone-information-disclosure-via-storage-architecture-37232

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/312.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULMON: CVE-2022-20660 // JVNDB: JVNDB-2022-003510 // CNNVD: CNNVD-202201-905 // NVD: CVE-2022-20660

SOURCES

db:VULMONid:CVE-2022-20660
db:JVNDBid:JVNDB-2022-003510
db:CNNVDid:CNNVD-202201-905
db:NVDid:CVE-2022-20660

LAST UPDATE DATE

2024-11-23T21:50:44.472000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-20660date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-003510date:2023-02-22T03:20:00
db:CNNVDid:CNNVD-202201-905date:2022-01-25T00:00:00
db:NVDid:CVE-2022-20660date:2024-11-21T06:43:15.693

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-20660date:2022-01-14T00:00:00
db:JVNDBid:JVNDB-2022-003510date:2023-02-22T00:00:00
db:CNNVDid:CNNVD-202201-905date:2022-01-12T00:00:00
db:NVDid:CVE-2022-20660date:2022-01-14T05:15:11.083