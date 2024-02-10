



Cisco has fixed three critical cross-site request forgery (CSRF) vulnerabilities in Expressway Series Collaboration Gateways and a denial of service (DoS) flaw in the ClamAV anti-malware engine. A flaw in CSRF allows an unauthenticated attacker to perform arbitrary actions on a vulnerable device by tricking a user into clicking a specially crafted link. The action is performed using the privileges of the victim's account and its nature varies depending on the vulnerability.

The first two CSRF issues are tracked as CVE-2024-20252 and CVE-2024-20254 and are rated as Critical with a score of 9.8 on the CVSS severity scale. This flaw is in the Cisco Express Series device API and is due to the lack of CSRF protection in the web-based management interface. If the affected user has administrator privileges, these actions may include changing system settings or creating a new privileged account. ” Cisco warns in its advisory.

The third CSRF vulnerability is tracked as CVE-2024-20255 and is rated as high severity with a score of 8.2 because an attacker could cause a denial of service condition only by overwriting system configuration settings. Masu. Unlike his other two flaws that affect Expressway series devices with default configuration, the third flaw also only affects devices if the Cluster Database (CDB) API feature is enabled. This feature is disabled by default.

Cisco Expressway 14.0 customers must upgrade

Cisco recommends that Cisco Expressway Series Release 14.0 customers upgrade to the newly released 14.3.41 version or upgrade to 15.0.01. For the fix to take effect, you must also run the following command: xconfiguration Security CSRFProtection status: “Enabled”.

“Cisco TelePresence Video Communication Server (VCS) has reached its end of support date and is no longer included in the Cisco Expressway series advisory,” the company said. “Cisco has not and does not plan to release any software updates for Cisco TelePresence VCS to address the vulnerabilities described in this advisory.”

The flaw affecting ClamAV, a free cross-platform anti-malware toolkit, is tracked as CVE-2024-20290 and is caused by an incorrect check for end-of-string values ​​in the OLE2 file format parser. Buffer overread. A remote attacker could exploit this vulnerability by sending a specially crafted file containing OLE2 content to his ClamAV scanner, causing the scanning process to crash and consuming system resources.

“This high security impact vulnerability (SIR) only affects Windows-based platforms. On these platforms, the ClamAV scanning process runs as a service, can become stuck in a loop, and does not CPU resources will be consumed and may result in additional delays or delays during “scanning operations,” Cisco said in the advisory.

