February 7, 2024 at 01:30PM
Cisco has addressed critical vulnerabilities in its Expressway Series gateways through patches, mitigating the risk of cross-site request forgery (CSRF) attacks. These security flaws could allow attackers to remotely target and manipulate vulnerable systems. Expressway Series devices with default configurations are impacted by the vulnerabilities, prompting the need for migration to fixed releases. Cisco has not released security updates for the end-of-support Cisco TelePresence Video Communication Server (VCS) gateway. The Product Security Incident Response Team (PSIRT) has not detected any public proof of concept exploits targeting these vulnerabilities.
Based on the meeting notes, here are the clear takeaways:
1. Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, with two of them rated as critical severity, leading to potential exposure of vulnerable devices to cross-site request forgery (CSRF) attacks.
2. The CSRF vulnerabilities can be exploited by attackers to trick authenticated users into performing unwanted actions, and unauthenticated attackers could target unpatched Expressway gateways remotely using the two critical CSRF vulnerabilities (CVE-2024-20252 and CVE-2024-20254).
3. An attacker can exploit these vulnerabilities by persuading a user of the API to follow a crafted link, potentially allowing the attacker to perform arbitrary actions with the affected user’s privilege level, including modifying system configurations and creating new privileged accounts.
4. A third CSRF security bug (CVE-2024-20255) can also be used to alter vulnerable systems’ configuration and trigger denial of service conditions.
5. Cisco Expressway Series Release versions earlier than 14.0 are advised to migrate to a fixed release, while versions 14.0 and 14.3.4 are vulnerable. Version 15.0 is not vulnerable.
6. Security updates for the Cisco TelePresence Video Communication Server (VCS) gateway will not be released to address the three vulnerabilities, as the gateway has reached its end-of-support date.
7. There is no evidence of public proof of concept exploits or exploitation attempts targeting these vulnerabilities, as confirmed by Cisco’s Product Security Incident Response Team (PSIRT).
8. In the past, Cisco has also faced critical security vulnerabilities in its Unified Communications Manager (CM), Contact Center Solutions products, and IOS XE devices, highlighting the ongoing need for robust security measures.
These are the key points highlighted in the meeting notes. Let me know if you need any further information or clarification.