Cisco has mounted three critical cross-site request forgery (CSRF) vulnerabilities in its Expressway Sequence collaboration gateway and a denial-of-service (DoS) flaw within the ClamAV anti-malware engine. CSRF flaws enable unauthenticated attackers to carry out arbitrary actions on weak units by tricking customers to click on on a particularly crafted hyperlink. The actions execute with the privilege of the sufferer’s account and their nature relies on the vulnerability.
The primary two CSRF points, tracked as CVE-2024-20252 and CVE-2024-20254, are rated as crucial with a rating of 9.8 on the CVSS severity scale. The failings are situated within the API of Cisco Expressway Sequence units and stem from an absence of CSRF protections within the web-based administration interface.”If the affected person has administrative privileges, these actions might embody modifying the system configuration and creating new privileged accounts,” Cisco warns in its advisory.
The third CSRF vulnerability, tracked as CVE-2024-20255, is rated as excessive severity with a rating of 8.2 as a result of it might solely enable attackers to trigger a denial-of-service situation by overwriting system configuration settings. In contrast to the opposite two flaws, which have an effect on Expressway Sequence units of their default configuration, the third flaw additionally solely impacts units if the cluster database (CDB) API function has been enabled. This function is disabled by default.
Cisco Expressway 14.0 prospects ought to improve
Cisco advises prospects of Cisco Expressway Sequence launch 14.0 to improve to the newly launched 14.3.41 model or improve to fifteen.0.01. To allow the repair, prospects additionally should run the next command: xconfiguration Safety CSRFProtection standing: “Enabled”.
“Cisco TelePresence Video Communication Server (VCS) has reached its end-of-support date and is not included in Cisco Expressway Sequence advisories,” the corporate stated. “Cisco has not launched and won’t launch software program updates for Cisco TelePresence VCS to handle the vulnerabilities which are described on this advisory.”
The flaw affecting ClamAV, a free and cross-platform anti-malware toolkit, is tracked as CVE-2024-20290 and is a heap buffer over-read brought on by incorrect checks for end-of-string values within the OLE2 file format parser. A distant attacker might exploit this vulnerability by sending a specifically crafted file with OLE2 content material to the ClamAV scanner, which might crash the scanning course of and eat system sources.
“This vulnerability, which has a Excessive Safety Impression Ranking (SIR), impacts solely Home windows-based platforms as a result of these platforms run the ClamAV scanning course of as a service that would enter a loop situation, which might eat accessible CPU sources and delay or forestall additional scanning operations,” Cisco stated in its advisory.
