Cisco has fixed three serious cross-site request forgery (CSRF) vulnerabilities in its Expressway Series collaboration gateway and a denial-of-service (DoS) flaw in the ClamAV anti-malware engine. CSRF flaws allow unauthenticated attackers to perform arbitrary actions on vulnerable devices by tricking users to click on a specifically crafted link. The actions execute with the privilege of the victim’s account and their nature depends on the vulnerability.
The first two CSRF issues, tracked as CVE-2024-20252 and CVE-2024-20254, are rated as critical with a score of 9.8 on the CVSS severity scale. The flaws are located in the API of Cisco Expressway Series devices and stem from a lack of CSRF protections in the web-based management interface.”If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts,” Cisco warns in its advisory.
The third CSRF vulnerability, tracked as CVE-2024-20255, is rated as high severity with a score of 8.2 because it could only allow attackers to cause a denial-of-service condition by overwriting system configuration settings. Unlike the other two flaws, which affect Expressway Series devices in their default configuration, the third flaw also only affects devices if the cluster database (CDB) API feature has been enabled. This feature is disabled by default.
Cisco Expressway 14.0 customers should upgrade
Cisco advises customers of Cisco Expressway Series release 14.0 to upgrade to the newly released 14.3.41 version or upgrade to 15.0.01. To enable the fix, customers also must run the following command: xconfiguration Security CSRFProtection status: “Enabled”.
“Cisco TelePresence Video Communication Server (VCS) has reached its end-of-support date and is no longer included in Cisco Expressway Series advisories,” the company said. “Cisco has not released and will not release software updates for Cisco TelePresence VCS to address the vulnerabilities that are described in this advisory.”
The flaw affecting ClamAV, a free and cross-platform anti-malware toolkit, is tracked as CVE-2024-20290 and is a heap buffer over-read caused by incorrect checks for end-of-string values in the OLE2 file format parser. A remote attacker could exploit this vulnerability by sending a specially crafted file with OLE2 content to the ClamAV scanner, which could crash the scanning process and consume system resources.
“This vulnerability, which has a High Security Impact Rating (SIR), affects only Windows-based platforms because those platforms run the ClamAV scanning process as a service that could enter a loop condition, which would consume available CPU resources and delay or prevent further scanning operations,” Cisco said in its advisory.