Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, two of them rated as critical severity and exposing vulnerable devices to cross-site request forgery (CSRF) attacks.
Attackers can exploit CSRF vulnerabilities to trick authenticated users into clicking malicious links or visiting attacker-controlled webpages to perform unwanted actions such as adding new user accounts, executing arbitrary code, gaining admin privileges, and more.
Unauthenticated attackers can exploit the two critical CSRF vulnerabilities patched today (CVE-2024-20252 and CVE-2024-20254) to target unpatched Expressway gateways remotely.
“An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user,” Cisco warned.
“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.”
A third CSRF security bug tracked as CVE-2024-20255 can also be used to alter vulnerable systems’ configuration and trigger denial of service conditions.
CVE-2024-20254 and CVE-2024-20255 impact Cisco Expressway Series devices with default configurations, while CVE-2024-20252 can only be exploited to attack gateways where the cluster database (CDB) API feature has been toggled on.
Cisco Expressway Series Release | First Fixed Release |
---|---|
Earlier than 14.0 | Migrate to a fixed release. |
14.0 | 14.3.4 |
15.0 | Not vulnerable. |
The company says it will not release security updates for the Cisco TelePresence Video Communication Server (VCS) gateway to address the three vulnerabilities since it’s reached the end-of-support date on December 31, 2023.
Cisco’s Product Security Incident Response Team (PSIRT) has found no evidence of public proof of concept exploits or exploitation attempts targeting these vulnerabilities.
Last month, Cisco warned of a critical severity remote code execution flaw impacting its Unified Communications Manager (CM) and Contact Center Solutions products after patching a severe Unity Connection bug that could let unauthenticated attackers gain root privileges remotely.
In October, Cisco also released security patches for two zero-days that were used to compromise more than 50,000 IOS XE devices within a week.
Hackers exploited a second IOS and IOS XE zero-day last year in attacks, a bug that enabled them to execute arbitrary code, gain complete control of vulnerable systems, and trigger denial of service (DoS) conditions.