Cisco Releases Security Updates for Critical Vulnerabilities in Expressway Series and TelePresence VCS

• Cisco has issued critical software updates to address two vulnerabilities, CVE-2023-20105 and CVE-2023-20192, in the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS), which could allow authenticated attackers to escalate their privileges.
• Customers using Cisco Expressway Series and Cisco TelePresence VCS are urged to promptly apply the security updates or utilize the workaround of disabling CLI access for read-only users, in order to protect their systems from potential exploitation.

Cisco has released critical software updates to address multiple vulnerabilities discovered in the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS). According to the advisory published by Cisco on June 7, 2023, these vulnerabilities could allow an authenticated attacker with Administrator-level read-only credentials to escalate their privileges to Administrator with read-write credentials on affected systems.

The vulnerabilities have been identified as CVE-2023-20105 and CVE-2023-20192. Both vulnerabilities received high CVSS base scores, with CVE-2023-20105 being rated at 9.6.

CVE-2023-20105 is attributed to a flaw in the change password functionality. It allows an authenticated remote attacker to escalate privileges due to incorrect handling of password change requests. By sending a specially crafted request to the web-based management interface, an attacker could alter passwords for any user on the system and impersonate them.

CVE-2023-20192, on the other hand, stems from a flaw in the privilege management functionality. It enables an authenticated local attacker with Administrator-level read-only CLI (Command Line Interface) credentials to escalate privileges through the incorrect implementation of user role permissions. This could enable an attacker to execute commands beyond their intended access level, including modifying system configuration parameters.

Both vulnerabilities affect the Cisco Expressway Series, which includes Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices, as well as Cisco TelePresence VCS. Notably, CVE-2023-20192 only affects systems that have granted CLI access to a read-only administrator.

Cisco has issued software updates that address these vulnerabilities. Additionally, a workaround has been identified for CVE-2023-20192, which involves disabling CLI access for read-only users. However, it’s noteworthy that CLI access is disabled by default for read-only administrators.

Customers who have service contracts entitling them to regular software updates should obtain security fixes through their usual update channels. Cisco recommends that customers should evaluate the applicability and effectiveness of the workaround in their environments before implementation.

Security experts urge all users and administrators of Cisco Expressway Series and Cisco TelePresence VCS to apply the necessary updates or workarounds promptly to safeguard their systems against potential exploitation.

For further information, please refer to the official advisory on Cisco’s website: Cisco Security Advisory