Click and Compromise: Cisco Bugs Let Hackers Infiltrate Systems Remotely

Recently, Cisco, a leading provider of networking solutions revealed several critical vulnerabilities affecting its Expressway Series collaboration gateways. These vulnerabilities, rated as critical in severity, expose vulnerable devices to Cross-Site Request Forgery (CSRF) attacks, posing a significant risk to users and organizations alike.

CSRF vulnerabilities, though not uncommon, are particularly insidious. They allow attackers to manipulate authenticated users into executing unintended actions by tricking them into clicking malicious links or visiting attacker-controlled webpages. The consequences of such actions can range from benign nuisances to severe security breaches, including the unauthorized creation of user accounts, execution of arbitrary code, and even gaining administrative privileges.

The two critical CSRF vulnerabilities patched by Cisco, identified as CVE-2024-20252 and CVE-2024-20254 (CVSS 9.6), present a grave threat, as they can be exploited remotely by unauthenticated attackers. By targeting unpatched Expressway gateways, these attackers could potentially wreak havoc, compromising sensitive systems and data.

CVE-2024-20252 and CVE-2024-20254

Cisco’s warning underscores the severity of the situation: “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.” For users with administrative privileges, the stakes are even higher, as attackers could manipulate system configurations and create new privileged accounts, exacerbating the risk of unauthorized access and control.

Adding to the complexity of the situation is a third CSRF security bug, tracked as CVE-2024-20255 (CVSS 8.2). This vulnerability, while not rated as critical, still poses a significant threat. Exploiting CVE-2024-20255 could enable attackers to alter system configurations and trigger denial of service conditions, further disrupting operations and compromising network integrity.

Interestingly, the impact of these vulnerabilities varies based on the configuration of the Cisco Expressway Series devices. CVE-2024-20254 and CVE-2024-20255 affect devices with default configurations, amplifying the potential reach of the attacks. In contrast, CVE-2024-20252 can only be exploited in gateways where the cluster database (CDB) API feature has been enabled.

Cisco Expressway Series Release First Fixed Release
Earlier than 14.0 Migrate to a fixed release.
14.0 14.3.4
15.0 15.0.0

Compounding the challenge is the end-of-support status of the Cisco TelePresence Video Communication Server (VCS) gateway, which reached its end-of-support date on December 31, 2023. As a result, Cisco has opted not to release security updates for the VCS gateway, leaving it vulnerable to exploitation. Organizations still reliant on this gateway must take proactive measures to mitigate risks and explore alternative solutions to safeguard their networks.

Despite the severity of these vulnerabilities, Cisco’s Product Security Incident Response Team (PSIRT) has not detected any public proof of concept exploits or exploitation attempts targeting them. The absence of evidence does not equate to the absence of risk. Vigilance, coupled with timely patching and proactive security measures, remains paramount in fortifying defenses against potential threats.