Cisco Addresses Cross-Site Request Forgery Vulnerabilities in Expressway Series (CVE-2024-20252, CVE-2024-20254, & CVE-2024-20255)

Qualys Security Advisory

Cisco Expressway Series devices are vulnerable to three high and critical severity flaws that may lead to cross-site request forgery (CSRF) attacks. Tracked as CVE-2024-20252, CVE-2024-20254, & CVE-2024-20255, the vulnerabilities may sometimes allow an unauthenticated, remote attacker to perform arbitrary actions on an affected device.

There is no evidence suggesting the active exploitation of any of the vulnerabilities.

CVE-2024-20252 and CVE-2024-20254: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities

The vulnerabilities that exist in the API of Cisco Expressway Series devices originate from the insufficient CSRF protections for the web-based management interface of an affected system.

An attacker could exploit these vulnerabilities by convincing a user of the API to follow a crafted link. On successful exploitation, the attacker may perform any action using the affected user’s privileges. These activities could involve changing the system setup and making new privileged accounts if the impacted user has administrative capabilities.

CVE-2024-20255: Cisco Expressway Series Cross-Site Request Forgery Vulnerability

The vulnerabilities that exist in the API of Cisco Expressway Series devices originate from the insufficient CSRF protections for the web-based management interface of an affected system.

An attacker could exploit these vulnerabilities by convincing a user of the API to follow a crafted link. On successful exploitation, the attacker may perform any action using the affected user’s privileges. If the affected user has administrative privileges, these actions could include overwriting system configuration settings, preventing the system from processing calls appropriately, and resulting in a denial of service (DoS) condition.

Affected Products

CVE-2024-20254 and CVE-2024-20255 affect Cisco Expressway Series devices in the default configuration.

CVE-2024-20252 affects Cisco Expressway Series devices if the cluster database (CDB) API feature has been enabled. This feature is disabled by default.

Affected Versions

The vulnerabilities affected the Cisco Expressway Series before version 14.3.4.

Mitigation

Customers are advised to upgrade to the Cisco Expressway Series version 14.3.4 to patch the vulnerabilities.

As per the advisory, “To enable the complete fix, run the xconfiguration Security CSRFProtection status: “Enabled” command, as detailed in the Cisco Expressway Administrator Guide.”

For more information, please refer to the Cisco Security Advisory ( cisco-sa-expressway-csrf-KnnZDMj3).

Qualys Detection

Qualys customers can scan their devices with QID 38918 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3

READ MORE