Advisory February 8, 2024

Critical Vulnerabilities in Cisco Expressway Series

The Obrela Threat Intelligence Team

Cisco has identified and patched several critical vulnerabilities in its Expressway Series collaboration gateways, which could expose vulnerable devices to cross-site request forgery (CSRF) attacks. The Cisco Expressway Series is a set of collaboration gateways designed to provide secure and efficient communication and collaboration for organizations. These vulnerabilities pose a significant risk of unauthorized access, privilege escalation, and denial-of-service (DoS) conditions.

Details of Vulnerabilities

  1. CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6):
    • These vulnerabilities impact Cisco Expressway Series devices and can be exploited remotely by unauthenticated attackers.
    • Insufficient CSRF protections in the web-based management interface may allow attackers to conduct CSRF attacks.
    • Successful exploitation could enable attackers to perform arbitrary actions with the privilege level of the affected user, including modifying system configurations and creating new privileged accounts.
    • Affected devices in the default configuration are vulnerable, while CVE-2024-20252 requires the cluster database (CDB) API feature to be enabled.
  2. CVE-2024-20255 (CVSS score: 8.2):
    • This vulnerability affects Cisco Expressway Series devices, allowing unauthenticated, remote attackers to conduct CSRF attacks.
    • Exploitation may lead to the overwriting of system configuration settings, resulting in a denial-of-service (DoS) condition.
    • The impact is higher if the affected user has administrative privileges.

Affected Products

  • CVE-2024-20254 and CVE-2024-20255: Cisco Expressway Series devices in the default configuration.
  • CVE-2024-20252: Cisco Expressway Series devices with the cluster database (CDB) API feature enabled.

Mitigation and Patching

  • No workarounds are available to address these vulnerabilities.
  • Cisco has released software updates addressing these vulnerabilities in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.
  • Users are advised to upgrade to the fixed software releases based on their current version.
  • To enable the complete fix, users should run the xconfiguration Security CSRFProtection status: “Enabled” command, as detailed in the Cisco Expressway Administrator Guide.

Exploitation and Public Announcements

  • The Cisco PSIRT is not aware of any public announcements or malicious use of these vulnerabilities.
  • Users are urged to apply the provided patches promptly to mitigate the risk of exploitation.

References

earth and shield - Advisory image