How to Protect Your Cisco Expressway Series Devices from 3 Cross-Site Request Forgery Vulnerabilities (CSRF)?

Cisco recently disclosed three critical cross-site request forgery (CSRF) vulnerabilities in its Expressway Series collaboration devices. According to the security advisory, the vulnerabilities tracked as CVE-2024-20252CVE-2024-20254, and CVE-2024-20255 stem from insufficient CSRF protections in the web-based management interface API.

Successful exploitation of these CSRF vulnerabilities in the Cisco Expressway Series could allow an unauthenticated remote attacker to make arbitrary configuration changes, create new privileged user accounts, and even trigger a denial of service conditions. With CVSS scores of 9.6 and 8.2, these vulnerabilities pose a serious risk to vulnerable deployments.

In this post, we will summarize the 3 Cross-Site Request Forgery vulnerabilities, analyze the potential impact, and review mitigation strategies for protecting Cisco Expressway devices from 3 Cross-Site Request Forgery Vulnerabilities (CSRF). Applying the latest software updates is critical as Cisco rates all three flaws as having Critical severity.

A Short Introduction to the Cisco Expressway Series

Cisco Expressway Series devices are deployed as critical components enabling secure communications in unified communications environments. The product line consists of two main devices:

Cisco Expressway Control (Expressway-C): Acts as an enterprise Session Border Controller ( SBC ), providing firewall traversal and session control capabilities for unified communication sessions.

Cisco Expressway Edge (Expressway-E): Deploys in enterprise DMZs and enables secure communications with endpoints and other organizations across the public internet. Acts as a reverse

proxy for internal Expressway-C devices.

Key capabilities provided by Expressway Series include:

  • Secure firewall traversal and connectivity options for remote workers

  • Enabling cloud-based UC services across the internet

  • Interoperability with third-party endpoints and UC infrastructure

  • Comprehensive session control, logging, and security features

  • Identity assertion and access control for endpoints

  • Load balancing, DNS, and NAT capabilities

With their advanced UC features and security controls, Expressway Series plays a vital networking role for organizations adopting hybrid work environments. Ensuring they are properly hardened and patched is critical.

Summary of the 3 Cross-Site Request Forgery Vulnerabilities

CVE ID
Description
CVSS Score
CVSS Vector
CVE-2024-20252
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
9.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2024-20254
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
9.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2024-20255
Cisco Expressway Series Cross-Site Request Forgery Vulnerability
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L

These CSRF in the Cisco Expressway Series stem from missing cross-site request forgery protection in the web UI API, allowing unauthenticated attackers to potentially make configuration changes, create new admin accounts, and trigger  denial of service if they trick an admin into clicking on crafted links.

See also  What Is New in Kali Linux 2023.1? And, How to Upgrade Kali Linux to 2023.1?

Successful exploitation could essentially provide remote unauthenticated attackers the same privileges and access as a logged-in administrator. This explains the extremely high CVSS ratings for these flaws.

Products Vulnerable

As per the published advisory, the following Cisco Expressway Series releases are vulnerable to CVE-2024-20252CVE-2024-20254, and CVE-2024-20255:

Cisco Expressway Control (Expressway-C)

  • Releases earlier than 14.3.4

  • Releases earlier than 15.0.0

Cisco Expressway Edge (Expressway-E)

  • Releases earlier than 14.3.4

  • Releases earlier than 15.0.0

Additionally, Cisco Expressway devices with the cluster database (CDB) API feature enabled are vulnerable to CVE-2024-20252 across releases. This is enabled by default on versions earlier than 14.2 and cannot be disabled.

The full list of vulnerable product versions is summarized below:

Product
Vulnerable Versions
Cisco Expressway Series
< 14.3.4, < 15.0.0
Cluster Database (CDB) API Feature
Enabled, across releases

Ensuring Expressway devices are upgraded to a fixed release is critical to mitigate these CSRF vulnerabilities, given the complete system compromise they allow.

How to Protect Your Cisco Devices from CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255?

Cisco has released software updates for Expressway Series that address these CSRF vulnerabilities in Cisco Expressway Series. Customers should upgrade their vulnerable Expressway devices to the latest fixed releases:

  • Expressway Version 14.3.4 or later

  • Expressway Version 15.0.0 or later

How to upgrade Cisco Expressway Series to 14.3

Upgrading Cisco Expressway Series to version 14.3 involves several steps and considerations. Here’s a general overview to guide you:

Preparation:

  1. Review Compatibility: Before proceeding, ensure your Expressway hardware and software versions are compatible with 14.3. Check the Cisco Expressway Series Compatibility Guide for details.

  2. Backup Configuration: It’s crucial to back up your current Expressway configuration before the upgrade. Refer to the “Cisco Expressway Series Install and Upgrade Guides” for specific instructions.

  3. Network Readiness: Verify your network infrastructure is ready for the upgrade. Ensure sufficient bandwidth and resources are available to support the new version.

See also  Security Misconfiguration – The #5 Web Application Security Risk

Upgrade Process:

  1. Download Upgrade File: Download the 14.3 upgrade file (.tar.gz) from the Cisco Expressway software downloads page: https://www.cisco.com/c/en/us/support/unified-communications/expressway-series/series.html

  2. Upload and Apply Upgrade: Log in to the Expressway web interface and navigate to Maintenance > Upgrade. Upload the downloaded file and follow the on-screen instructions to initiate the upgrade.

  3. Reboot: Once the upgrade is completed, the Expressway will prompt you to reboot. Perform the reboot to activate the new software version.

Post-Upgrade Actions:

  1. Verify Operation: After rebooting, access the Expressway web interface and confirm it’s running 14.3 successfully.

  2. Refresh Nodes: Perform a refresh of all Unified Communications nodes from the primary Expressway-C server. This updates their configuration with the new version.

  3. Monitor and Troubleshoot: Monitor the Expressway for any issues or errors after the upgrade. Refer to the “Cisco Expressway Series Release Notes” for known issues and troubleshooting tips.

Additional Resources:

Important Note: Upgrading system software can be complex and carries risks. Ensure you have a thorough understanding of the process and potential consequences before proceeding. Consider consulting a qualified network administrator or referring to the official Cisco documentation for detailed instructions and best practices specific to your Expressway model and configuration.

Once upgraded, additional steps are required to enable CSRF Protection to fully mitigate the vulnerabilities:

  1. Log in to the Expressway web interface

  2. Navigate to System > Security > CSRF protection

  3. Set the Status to Enabled

  4. Click Save

Or, run the following command from the device terminal:

xConfiguration Security CSRFProtection Status: "Enabled"

For more information, see the link.

Enabling CSRF protection injects non-predictable challenge tokens in requests to the Expressway web interface and management APIs. This protects against forged requests from malicious sites, providing the full fix.

See also  3 Different Ways to Install Nmap on Linux Mint or Ubuntu

Note that Expressway hardware may need a BIOS/firmware update to support the latest software release. Check the administrator guides to confirm your appliance capabilities before upgrading.

As with any critical security issue, customers should prioritize patching Expressway instances to the latest fixed versions. Ensure proper change management procedures are followed for systematic upgrades.

Bottom Line

The critical vulnerabilities disclosed in the Cisco Expressway Series highlight the importance of promptly applying security fixes for enterprise infrastructure. Given the prevalence of hybrid and remote work models, compromises that impact collaboration environments directly enable disruption of business operations.

While Cisco has provided software updates to address these specific CSRF flaws, customers need to adopt long-term security strategies centered around continuous monitoring, testing, and upgrading. Dedicated security personnel should subscribe to vendor notifications, analyze new issues for organizational relevance, and oversee patching cycles.

Proper upgrade planning and change management is also key — organizations must assess upgrade compatibility, coordinate maintenance windows, backup existing configs, and test functionality post-deployment. Attempting upgrades without proper care can result in even lengthier outages.

Lastly, robust security solutions and principles like network segmentation, multifactor  authentication, and the principle of least privilege can help protect collaboration platforms even before patches are available. As with any critical infrastructure, defense-in-depth reduces risk.

In summary, CVE-2024-20252, CVE-2024-20254, and CVE-2024-20255 serve as an important reminder to keep security practices aligned with operational reliance on unified communications tools enabling productivity and connectivity.

Leave a Reply

Your email address will not be published. Required fields are marked *