CVE-2022-20817: Cisco IP Phone Duplicate Key Vulnerability
First published: Wed Jun 15 2022(Updated: )
A vulnerability in Cisco Unified IP Phones could allow an unauthenticated, remote attacker to impersonate another user's phone if the Cisco Unified Communications Manager (CUCM) is in secure mode. This vulnerability is due to improper key generation during the manufacturing process that could result in duplicated manufactured keys installed on multiple devices. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on the secure communication between the phone and the CUCM. A successful exploit could allow the attacker to impersonate another user's phone. This vulnerability cannot be addressed with software updates. There is a workaround that addresses this vulnerability.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Ip Phone 6911 Firmware | ||
| Cisco Unified Ip Phone 6911 | ||
| Cisco Unified Ip Phone 6921 Firmware | ||
| Cisco Unified Ip Phone 6921 | ||
| Cisco Unified Ip Phone 6941 Firmware | ||
| Cisco Unified Ip Phone 6941 | ||
| Cisco Unified Ip Phone 6945 Firmware | ||
| Cisco Unified Ip Phone 6945 | ||
| Cisco Unified Ip Phone 6961 Firmware | ||
| Cisco Unified Ip Phone 6961 | ||
| Cisco Unified Ip Phone 8941 Firmware | ||
| Cisco Unified Ip Phone 8941 | ||
| Cisco Unified Ip Phone 8945 Firmware | ||
| Cisco Unified IP Phone 8945 | ||
| Cisco Unified Ip Phone 8961 Firmware | ||
| Cisco Unified Ip Phone 8961 | ||
| Cisco Unified Ip Phone 9951 Firmware | ||
| Cisco Unified Ip Phone 9951 | ||
| Cisco Unified Ip Phone 9971 Firmware | ||
| Cisco Unified Ip Phone 9971 | ||
| Cisco Ata 187 Analog Telephone Adapter Firmware | ||
| Cisco Ata 187 Analog Telephone Adapter |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-20817?
CVE-2022-20817 is a vulnerability in Cisco Unified IP Phones that could allow an unauthenticated remote attacker to impersonate another user's phone.
How does the vulnerability in Cisco Unified IP Phones occur?
The vulnerability occurs due to improper key generation during the manufacturing process.
What is the severity of CVE-2022-20817?
CVE-2022-20817 has a severity rating of 7.4 (High).
Which Cisco Unified IP Phone models are affected by CVE-2022-20817?
Cisco Unified IP Phones 6911, 6921, 6941, 6945, 6961, 8941, 8945, 8961, 9951, and 9971 are affected by CVE-2022-20817.
How can the vulnerability in Cisco Unified IP Phones be fixed?
To fix the vulnerability, apply the necessary firmware updates provided by Cisco.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/severity
- agent/author
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco unified ip phone 6911 firmware
- canonical/cisco unified ip phone 6911
- canonical/cisco unified ip phone 6921 firmware
- canonical/cisco unified ip phone 6921
- canonical/cisco unified ip phone 6941 firmware
- canonical/cisco unified ip phone 6941
- canonical/cisco unified ip phone 6945 firmware
- canonical/cisco unified ip phone 6945
- canonical/cisco unified ip phone 6961 firmware
- canonical/cisco unified ip phone 6961
- canonical/cisco unified ip phone 8941 firmware
- canonical/cisco unified ip phone 8941
- canonical/cisco unified ip phone 8945 firmware
- canonical/cisco unified ip phone 8945
- canonical/cisco unified ip phone 8961 firmware
- canonical/cisco unified ip phone 8961
- canonical/cisco unified ip phone 9951 firmware
- canonical/cisco unified ip phone 9951
- canonical/cisco unified ip phone 9971 firmware
- canonical/cisco unified ip phone 9971
- canonical/cisco ata 187 analog telephone adapter firmware
- canonical/cisco ata 187 analog telephone adapter