Critical Security Vulnerabilities in Cisco Expressway Series

Cisco has reported 2 CRITICAL security vulnerabilities and one HIGH severity vulnerability that affect the Cisco Expressway Series devices. The details and reported fixes for these security vulnerabilities are shared below.

Salient points

  • Cisco has confirmed 3 security vulnerabilities affecting the Cisco Expressway Series devices. 2 of these are CRITICAL vulnerabilities with CVSS score of 9.6 One is a HIGH severity vulnerability with CVSS score of 8.2.
  • The affected devices include the Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.
  • CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 are the latest security vulnerabilities reported by Cisco on 7 February 2024.
  • CVE-2024-20254 (CVSS Score 9.6): These vulnerabilities affect Cisco Expressway Series devices in the default configuration.
  • CVE-2024-20252: This vulnerability affects Cisco Expressway Series devices if the cluster database (CDB) API feature has been enabled. This feature is disabled by default. It has a CVSS score of 9.6.
  • The security advisory by Cisco has been allocated the serial number cisco-sa-expressway-csrf-KnnZDMj3.
  • Cisco has released software updates to address these security vulnerabilities.
  • All these security vulnerabilities were found as part of Cisco’s internal testing.
  • No workarounds are available to address these security vulnerabilities. You will need to deploy the latest software updates on the affected devices.
  • Cisco customers with valid service contracts can download the software updates through the Cisco Downloads page
  • Cisco customers without active service contracts are suggested to contact the Cisco TAC teams for software updates. Before contacting the TAC team, ensure that you have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. The Cisco advisory identifier is cisco-sa-expressway-csrf-KnnZDMj3.
  • Cisco TelePresence Video Communication Server (VCS) has reached its end-of-support date and is no longer included in Cisco Expressway Series advisories. The VCS is also affected by these security vulnerabilities.

About Cisco Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities

Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device.

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

CVE-2024-20252 and CVE-2024-20254: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities

Two vulnerabilities in the API of Cisco Expressway Series devices could allow an unauthenticated, remote attacker to conduct CSRF attacks on an affected system.

These vulnerabilities are due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.

CVE-2024-20255: Cisco Expressway Series Cross-Site Request Forgery Vulnerability

A vulnerability in the API of the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a CSRF attack on an affected system.

This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include overwriting system configuration settings, which could prevent the system from processing calls properly and result in a denial of service (DoS) condition.

Remediation

Cisco has released the latest software updates to address CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255.

  • For Cisco Expressway Series release earlier than 14.0 – It is recommended to upgrade to a fixed version
  • For Cisco Expressway Series 14.0 – It is recommended to upgrade to 14.3.4.
  • For Cisco Express Series 15.0 – It is recommended to upgrade to 15.0.0.

Related Security Stories

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.