Critical Vulnerabilities in Cisco Expressway Series

Cisco has identified and patched several critical vulnerabilities in its Expressway Series collaboration gateways, which could expose vulnerable devices to cross-site request forgery (CSRF) attacks. The Cisco Expressway Series is a set of collaboration gateways designed to provide secure and efficient communication and collaboration for organizations. These vulnerabilities pose a significant risk of unauthorized access, privilege escalation, and denial-of-service (DoS) conditions.

Details of Vulnerabilities

1. CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6):
   • These vulnerabilities impact Cisco Expressway Series devices and can be exploited remotely by unauthenticated attackers.
   • Insufficient CSRF protections in the web-based management interface may allow attackers to conduct CSRF attacks.
   • Successful exploitation could enable attackers to perform arbitrary actions with the privilege level of the affected user, including modifying system configurations and creating new privileged accounts.
   • Affected devices in the default configuration are vulnerable, while CVE-2024-20252 requires the cluster database (CDB) API feature to be enabled.
2. CVE-2024-20255 (CVSS score: 8.2):
   • This vulnerability affects Cisco Expressway Series devices, allowing unauthenticated, remote attackers to conduct CSRF attacks.
   • Exploitation may lead to the overwriting of system configuration settings, resulting in a denial-of-service (DoS) condition.
   • The impact is higher if the affected user has administrative privileges.

Affected Products

• CVE-2024-20254 and CVE-2024-20255: Cisco Expressway Series devices in the default configuration.
• CVE-2024-20252: Cisco Expressway Series devices with the cluster database (CDB) API feature enabled.

Mitigation and Patching

• No workarounds are available to address these vulnerabilities.
• Cisco has released software updates addressing these vulnerabilities in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.
• Users are advised to upgrade to the fixed software releases based on their current version.
• To enable the complete fix, users should run the xconfiguration Security CSRFProtection status: “Enabled” command, as detailed in the Cisco Expressway Administrator Guide.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of these vulnerabilities.
• Users are urged to apply the provided patches promptly to mitigate the risk of exploitation.

References

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3
• https://www.bleepingcomputer.com/news/security/critical-cisco-bug-exposes-expressway-gateways-to-csrf-attacks/
• https://thehackernews.com/2024/02/critical-patches-released-for-new-flaws.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-20255
• https://nvd.nist.gov/vuln/detail/CVE-2024-20252
• https://nvd.nist.gov/vuln/detail/CVE-2024-20254