Cisco has fastened three severe cross-site request forgery (CSRF) vulnerabilities in its Expressway Sequence collaboration gateway and a denial-of-service (DoS) flaw within the ClamAV anti-malware engine. CSRF flaws enable unauthenticated attackers to carry out arbitrary actions on weak units by tricking customers to click on on a particularly crafted hyperlink. The actions execute with the privilege of the sufferer’s account and their nature is determined by the vulnerability.
The primary two CSRF points, tracked as CVE-2024-20252 and CVE-2024-20254, are rated as essential with a rating of 9.8 on the CVSS severity scale. The issues are positioned within the API of Cisco Expressway Sequence units and stem from a scarcity of CSRF protections within the web-based administration interface.”If the affected consumer has administrative privileges, these actions may embody modifying the system configuration and creating new privileged accounts,” Cisco warns in its advisory.
The third CSRF vulnerability, tracked as CVE-2024-20255, is rated as excessive severity with a rating of 8.2 as a result of it may solely enable attackers to trigger a denial-of-service situation by overwriting system configuration settings. Not like the opposite two flaws, which have an effect on Expressway Sequence units of their default configuration, the third flaw additionally solely impacts units if the cluster database (CDB) API characteristic has been enabled. This characteristic is disabled by default.
Cisco Expressway 14.0 clients ought to improve
Cisco advises clients of Cisco Expressway Sequence launch 14.0 to improve to the newly launched 14.3.41 model or improve to fifteen.0.01. To allow the repair, clients additionally should run the next command: xconfiguration Safety CSRFProtection standing: “Enabled”.
“Cisco TelePresence Video Communication Server (VCS) has reached its end-of-support date and is not included in Cisco Expressway Sequence advisories,” the corporate mentioned. “Cisco has not launched and won’t launch software program updates for Cisco TelePresence VCS to handle the vulnerabilities which can be described on this advisory.”
The flaw affecting ClamAV, a free and cross-platform anti-malware toolkit, is tracked as CVE-2024-20290 and is a heap buffer over-read brought on by incorrect checks for end-of-string values within the OLE2 file format parser. A distant attacker may exploit this vulnerability by sending a specifically crafted file with OLE2 content material to the ClamAV scanner, which may crash the scanning course of and eat system sources.
“This vulnerability, which has a Excessive Safety Impression Score (SIR), impacts solely Home windows-based platforms as a result of these platforms run the ClamAV scanning course of as a service that would enter a loop situation, which might eat accessible CPU sources and delay or forestall additional scanning operations,” Cisco mentioned in its advisory.