Cisco has mounted three critical cross-site request forgery (CSRF) vulnerabilities in its Expressway Collection collaboration gateway and a denial-of-service (DoS) flaw within the ClamAV anti-malware engine. CSRF flaws enable unauthenticated attackers to carry out arbitrary actions on weak gadgets by tricking customers to click on on a particularly crafted hyperlink. The actions execute with the privilege of the sufferer’s account and their nature depends upon the vulnerability.
The primary two CSRF points, tracked as CVE-2024-20252 and CVE-2024-20254, are rated as important with a rating of 9.8 on the CVSS severity scale. The issues are situated within the API of Cisco Expressway Collection gadgets and stem from a scarcity of CSRF protections within the web-based administration interface.”If the affected consumer has administrative privileges, these actions may embrace modifying the system configuration and creating new privileged accounts,” Cisco warns in its advisory.
The third CSRF vulnerability, tracked as CVE-2024-20255, is rated as excessive severity with a rating of 8.2 as a result of it may solely enable attackers to trigger a denial-of-service situation by overwriting system configuration settings. Not like the opposite two flaws, which have an effect on Expressway Collection gadgets of their default configuration, the third flaw additionally solely impacts gadgets if the cluster database (CDB) API function has been enabled. This function is disabled by default.
Cisco Expressway 14.0 clients ought to improve
Cisco advises clients of Cisco Expressway Collection launch 14.0 to improve to the newly launched 14.3.41 model or improve to fifteen.0.01. To allow the repair, clients additionally should run the next command: xconfiguration Safety CSRFProtection standing: “Enabled”.
“Cisco TelePresence Video Communication Server (VCS) has reached its end-of-support date and is not included in Cisco Expressway Collection advisories,” the corporate mentioned. “Cisco has not launched and won’t launch software program updates for Cisco TelePresence VCS to handle the vulnerabilities which are described on this advisory.”
The flaw affecting ClamAV, a free and cross-platform anti-malware toolkit, is tracked as CVE-2024-20290 and is a heap buffer over-read attributable to incorrect checks for end-of-string values within the OLE2 file format parser. A distant attacker may exploit this vulnerability by sending a specifically crafted file with OLE2 content material to the ClamAV scanner, which may crash the scanning course of and eat system sources.
“This vulnerability, which has a Excessive Safety Affect Ranking (SIR), impacts solely Home windows-based platforms as a result of these platforms run the ClamAV scanning course of as a service that would enter a loop situation, which might eat out there CPU sources and delay or forestall additional scanning operations,” Cisco mentioned in its advisory.
