Cisco recently disclosed three critical cross-site request forgery (CSRF) vulnerabilities in its Expressway Series collaboration devices. According to the security advisory, the vulnerabilities tracked as CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 stem from insufficient CSRF protections in the web-based management interface API.
Successful exploitation of these CSRF vulnerabilities in the Cisco Expressway Series could allow an unauthenticated remote attacker to make arbitrary configuration changes, create new privileged user accounts, and even trigger a denial of service conditions. With CVSS scores of 9.6 and 8.2, these vulnerabilities pose a serious risk to vulnerable deployments.
In this post, we will summarize the 3 Cross-Site Request Forgery vulnerabilities, analyze the potential impact, and review mitigation strategies for protecting Cisco Expressway devices from 3 Cross-Site Request Forgery Vulnerabilities (CSRF). Applying the latest software updates is critical as Cisco rates all three flaws as having Critical severity.
Cisco Expressway Series devices are deployed as critical components enabling secure communications in unified communications environments. The product line consists of two main devices:
Cisco Expressway Control (Expressway-C): Acts as an enterprise Session Border Controller (SBC), providing firewall traversal and session control capabilities for unified communication sessions.
Cisco Expressway Edge (Expressway-E): Deploys in enterprise DMZs and enables secure communications with endpoints and other organizations across the public internet. Acts as a reverse
proxy for internal Expressway-C devices.
Key capabilities provided by Expressway Series include:
Secure firewall traversal and connectivity options for remote workers
Enabling cloud-based UC services across the internet
Interoperability with third-party endpoints and UC infrastructure
Comprehensive session control, logging, and security features
Identity assertion and access control for endpoints
Load balancing, DNS, and NAT capabilities
With their advanced UC features and security controls, Expressway Series plays a vital networking role for organizations adopting hybrid work environments. Ensuring they are properly hardened and patched is critical.
CVE ID
|
Description
|
CVSS Score
|
CVSS Vector
|
CVE-2024-20252
|
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
|
9.6
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CVE-2024-20254
|
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
|
9.6
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CVE-2024-20255
|
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
|
8.2
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
|
These CSRF in the Cisco Expressway Series stem from missing cross-site request forgery protection in the web UI API, allowing unauthenticated attackers to potentially make configuration changes, create new admin accounts, and trigger denial of service if they trick an admin into clicking on crafted links.
Successful exploitation could essentially provide remote unauthenticated attackers the same privileges and access as a logged-in administrator. This explains the extremely high CVSS ratings for these flaws.
As per the published advisory, the following Cisco Expressway Series releases are vulnerable to CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255:
Cisco Expressway Control (Expressway-C)
Releases earlier than 14.3.4
Releases earlier than 15.0.0
Cisco Expressway Edge (Expressway-E)
Releases earlier than 14.3.4
Releases earlier than 15.0.0
Additionally, Cisco Expressway devices with the cluster database (CDB) API feature enabled are vulnerable to CVE-2024-20252 across releases. This is enabled by default on versions earlier than 14.2 and cannot be disabled.
The full list of vulnerable product versions is summarized below:
Product
|
Vulnerable Versions
|
---|---|
Cisco Expressway Series
|
< 14.3.4, < 15.0.0
|
Cluster Database (CDB) API Feature
|
Enabled, across releases
|
Ensuring Expressway devices are upgraded to a fixed release is critical to mitigate these CSRF vulnerabilities, given the complete system compromise they allow.
Cisco has released software updates for Expressway Series that address these CSRF vulnerabilities in Cisco Expressway Series. Customers should upgrade their vulnerable Expressway devices to the latest fixed releases:
Expressway Version 14.3.4 or later
Expressway Version 15.0.0 or later
Upgrading Cisco Expressway Series to version 14.3 involves several steps and considerations. Here's a general overview to guide you:
Preparation:
Review Compatibility: Before proceeding, ensure your Expressway hardware and software versions are compatible with 14.3. Check the Cisco Expressway Series Compatibility Guide for details.
Backup Configuration: It's crucial to back up your current Expressway configuration before the upgrade. Refer to the "Cisco Expressway Series Install and Upgrade Guides" for specific instructions.
Network Readiness: Verify your network infrastructure is ready for the upgrade. Ensure sufficient bandwidth and resources are available to support the new version.
Upgrade Process:
Download Upgrade File: Download the 14.3 upgrade file (.tar.gz) from the Cisco Expressway software downloads page: https://www.cisco.com/c/en/us/support/unified-communications/expressway-series/series.html
Upload and Apply Upgrade: Log in to the Expressway web interface and navigate to Maintenance > Upgrade. Upload the downloaded file and follow the on-screen instructions to initiate the upgrade.
Reboot: Once the upgrade is completed, the Expressway will prompt you to reboot. Perform the reboot to activate the new software version.
Post-Upgrade Actions:
Verify Operation: After rebooting, access the Expressway web interface and confirm it's running 14.3 successfully.
Refresh Nodes: Perform a refresh of all Unified Communications nodes from the primary Expressway-C server. This updates their configuration with the new version.
Monitor and Troubleshoot: Monitor the Expressway for any issues or errors after the upgrade. Refer to the "Cisco Expressway Series Release Notes" for known issues and troubleshooting tips.
Additional Resources:
Upgrade of Video Communication Server (VCS) / Expressway X14.x - Guide & FAQ: https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/217743-upgrade-of-video-communication-server-v.html
Cisco Expressway Series Support Page: https://www.cisco.com/c/en/us/support/unified-communications/expressway-series/series.html
Important Note: Upgrading system software can be complex and carries risks. Ensure you have a thorough understanding of the process and potential consequences before proceeding. Consider consulting a qualified network administrator or referring to the official Cisco documentation for detailed instructions and best practices specific to your Expressway model and configuration.
Once upgraded, additional steps are required to enable CSRF Protection to fully mitigate the vulnerabilities:
Log in to the Expressway web interface
Navigate to System > Security > CSRF protection
Set the Status to Enabled
Click Save
Or, run the following command from the device terminal:
xConfiguration Security CSRFProtection Status: "Enabled"
For more information, see the link.
Enabling CSRF protection injects non-predictable challenge tokens in requests to the Expressway web interface and management APIs. This protects against forged requests from malicious sites, providing the full fix.
Note that Expressway hardware may need a BIOS/firmware update to support the latest software release. Check the administrator guides to confirm your appliance capabilities before upgrading.
As with any critical security issue, customers should prioritize patching Expressway instances to the latest fixed versions. Ensure proper change management procedures are followed for systematic upgrades.
The critical vulnerabilities disclosed in the Cisco Expressway Series highlight the importance of promptly applying security fixes for enterprise infrastructure. Given the prevalence of hybrid and remote work models, compromises that impact collaboration environments directly enable disruption of business operations.
While Cisco has provided software updates to address these specific CSRF flaws, customers need to adopt long-term security strategies centered around continuous monitoring, testing, and upgrading. Dedicated security personnel should subscribe to vendor notifications, analyze new issues for organizational relevance, and oversee patching cycles.
Proper upgrade planning and change management is also key — organizations must assess upgrade compatibility, coordinate maintenance windows, backup existing configs, and test functionality post-deployment. Attempting upgrades without proper care can result in even lengthier outages.
Lastly, robust security solutions and principles like network segmentation, multifactor authentication, and the principle of least privilege can help protect collaboration platforms even before patches are available. As with any critical infrastructure, defense-in-depth reduces risk.
In summary, CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 serve as an important reminder to keep security practices aligned with operational reliance on unified communications tools enabling productivity and connectivity.
We hope this post helps you know how to protect your Cisco Expressway Series devices from 3 Cross-Site Request Forgery vulnerabilities (CSRF)?. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.