WNE Security News

Read more about “Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities” and the most important cybersecurity news to stay up to date with

Cisco Expressway Series Cross-Site Request Forgery

Cybersecurity Service Provider

WNE Security Publisher

2/9/2024

(CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255) Base Score:

9.6

Cisco Expressway Series Cross-Site Request Forgery ​ (CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255)

 

Learn about CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 and other newly exploited vulnerabilities and new best practices by subscribing to our newsletter.

CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 Description

The Cisco Expressway Series vulnerabilities, identified as CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255, are critical and high-severity cross-site request forgery (CSRF) issues that could allow unauthenticated, remote attackers to perform arbitrary actions on an affected device by convincing a user to click on a crafted link. These vulnerabilities are significant due to their potential impact on the security of the Cisco Expressway Series devices, which include the Cisco Expressway Control (Expressway-C) and Cisco Expressway Edge (Expressway-E) devices.

CVE-2024-20252 and CVE-2024-20254 are critical vulnerabilities arising from insufficient CSRF protections for the web-based management interface of an affected system. Attackers exploiting these vulnerabilities could potentially modify system configurations and create new privileged accounts if the targeted user has administrative rights. The CVSS Base Score for these vulnerabilities is 9.6, indicating their critical severity.

CVE-2024-20255 is a high-severity vulnerability, also resulting from inadequate CSRF protections, with a CVSS Base Score of 8.2. An attacker could exploit this vulnerability to overwrite system configuration settings, potentially preventing the system from processing calls properly, leading to a denial of service (DoS) condition.

The affected products include Cisco Expressway Series devices in their default configurations, with CVE-2024-20252 specifically affecting devices where the cluster database (CDB) API feature has been enabled, a feature that is disabled by default.

What is Affected By CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255

The vulnerabilities identified as CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 affect the Cisco Expressway Series devices. Specifically:

  • CVE-2024-20254 and CVE-2024-20255 affect Cisco Expressway Series devices in their default configuration.
  • CVE-2024-20252 affects Cisco Expressway Series devices if the cluster database (CDB) API feature has been enabled. This feature is disabled by default.

These vulnerabilities do not depend on one another for exploitation, meaning that an attacker could exploit one without needing to exploit the others. Additionally, a software release affected by one of the vulnerabilities may not necessarily be affected by the others.

The Cisco Expressway Series encompasses both the Cisco Expressway Control (Expressway-C) and Cisco Expressway Edge (Expressway-E) devices. These devices are designed to facilitate secure, seamless communication across firewalls, providing services such as voice, video, instant messaging, and presence. Given their critical role in secure communications, the vulnerabilities pose significant risks if left unpatched, including potential unauthorized system modifications and denial of service (DoS) conditions​.

Mitigation and Remediation For CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255

To mitigate and remediate the vulnerabilities identified as CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 in Cisco Expressway Series devices, Cisco has released software updates that address these vulnerabilities, as there are no workarounds available to mitigate them directly. The recommended steps for mitigation and remediation include:

  1. Upgrading Cisco Expressway Series Software: Customers are advised to upgrade their Cisco Expressway Series devices to the fixed software versions provided by Cisco. Specifically, Cisco has made patches available in the following versions:

    • For Expressway Series earlier than version 14.0, it is recommended to migrate to a fixed release.
    • Version 14.0 should be upgraded to 14.3.4 or later.
    • Version 15.0 should be upgraded to 15.0.0 or later.
  2. Enabling CSRF Protection: After updating to a fixed software release, it is also recommended to enable CSRF protection by running the command xconfiguration Security CSRFProtection status: "Enabled" as detailed in the Cisco Expressway Administrator Guide. This step is crucial for ensuring that the fix is fully applied and effective against CSRF attacks.

  3. Regularly Consulting Cisco Security Advisories: Customers are encouraged to regularly review Cisco security advisories for the most current information on vulnerabilities and to determine exposure and complete upgrade solutions.

  4. Contacting Cisco Technical Assistance Center (TAC): Customers without service contracts or those unable to obtain fixed software through their usual channels are advised to contact the Cisco TAC for assistance and access to free upgrades, ensuring to provide the product serial number and reference to the advisory as evidence of entitlement.

It’s important for organizations to promptly apply these updates and configurations to protect their networks from potential exploitation of these vulnerabilities. By following Cisco’s guidance and ensuring that devices are running the recommended software versions with appropriate configurations, organizations can mitigate the risks associated with these vulnerabilities.

Impact of Successful Exploitation of CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255

The successful exploitation of CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 could have significant impacts on affected Cisco Expressway Series devices, given the critical nature of these vulnerabilities. The impacts are as follows:

  • For CVE-2024-20252 and CVE-2024-20254: The successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to perform arbitrary actions with the privilege level of the affected user through cross-site request forgery (CSRF) attacks. If the targeted user possesses administrative privileges, the attacker could potentially modify system configurations and create new privileged accounts. This could lead to unauthorized access and control over the system, data breaches, and other malicious activities. The CVSS Base Score for these vulnerabilities is 9.6, indicating their critical severity.

  • For CVE-2024-20255: Similar to the above, this vulnerability also allows for CSRF attacks but with a specific impact that could include overwriting system configuration settings. If an attacker successfully exploits this vulnerability, they could prevent the Cisco Expressway system from processing calls properly, leading to a denial of service (DoS) condition. This impact is particularly concerning for organizations that rely on Cisco Expressway for critical communication functions, as it could disrupt operations. The CVSS Base Score for this vulnerability is 8.2, indicating its high severity.

The overarching impact of these vulnerabilities is the potential compromise of the confidentiality, integrity, and availability of the affected systems. Given that the Cisco Expressway Series is used to facilitate secure, seamless communication across firewalls for services such as voice, video, instant messaging, and presence, the successful exploitation of these vulnerabilities could severely impact organizational operations, data security, and the privacy of communications.

It is crucial for organizations using affected Cisco Expressway Series devices to apply the provided patches and follow Cisco’s mitigation recommendations to protect their systems from potential exploitation.

Subscribe Today

We don’t spam! Read our privacy policy for more info.

Learn more about WNE Security products and services that can help keep you cyber safe.

Learn about CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 and other vulnerabilities and best practices by subscribing to our newsletter.


Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “(CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255)”  by clicking the links below

Check Out Some Other Articles

Learn How To Secure A Work From Home Environment by implementing VPN, Drawing Boundaries for Work Devices, Securing Routers, Limit Data Access/least …

Google Chrome Security Settings for the most Secure Google Chrome Browser starts with enabling automatic updates, Safe Browsing, security extension/extension…

Ransomware is more than just a headline—it’s a rising threat. Learn about its mechanics, its consequences, and why staying informed is your best defense.