Cisco Unified Communications Gateways Affected by API Bug

The recently disclosed API vulnerabilities in Cisco's Expressway Series of unified communications gateways pose significant risks to affected devices, potentially allowing attackers to perform arbitrary actions. These vulnerabilities, categorized as cross-site request forgery (CSRF) bugs, impact both Cisco Expressway Control and Cisco Expressway Edge devices, according to Cisco's advisory.

Cross-site request forgery vulnerabilities can enable attackers to trick authenticated users into unknowingly executing malicious actions on a web application. In the case of Cisco Expressway devices, exploitation of these vulnerabilities could lead to unauthorized access, data manipulation, or other malicious activities, posing serious security threats to organizations relying on these communication gateways.

As Cisco works to address these vulnerabilities, it's crucial for affected organizations to apply necessary patches and updates promptly. Additionally, implementing strong access controls, monitoring for suspicious activities, and following best practices for network security can help mitigate the risks associated with these vulnerabilities and safeguard critical communication infrastructure.

The three CSRF vulnerabilities identified in Cisco's advisory, namely CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255, all target the web management interface of the affected devices in the Cisco Expressway Series.

Exploiting these vulnerabilities involves tricking an API user into clicking on a specially crafted link, which then allows the attacker to execute arbitrary actions with the privileges of the compromised user. In some cases, this could extend to gaining administrative privileges, presenting a significant security risk.

CVE-2024-20252 and CVE-2024-20254, both rated with a CVSS score of 9.6 (indicating a critical severity), enable attackers to tamper with the system configuration and create new privileged accounts. These actions could potentially lead to further compromise of the device and unauthorized access to sensitive information or control over the affected network infrastructure.

CVE-2024-20255, rated with a CVSS score of 8.2, presents a lower-severity risk compared to the other two vulnerabilities mentioned. Despite its lower rating, CVE-2024-20255 still allows attackers to execute certain system commands, although its impact is limited to facilitating a denial-of-service attack against the victim.

These vulnerabilities affect Cisco Expressway Series versions older than 14.0, as well as version 14.0 itself (which can be remediated by upgrading to version 14.3.4) and version 15.0 (fixed in 15.0.0). It's important for organizations using affected versions to apply the necessary patches or upgrades to mitigate the risk of exploitation.

Additionally, the vulnerabilities extend to the end-of-life Cisco TelePresence video communication server, which unfortunately will not receive patches. Organizations still using this server should consider implementing alternative security measures to reduce the associated risks.