In recent days, Cisco published several security bulletins that indicate that multiple vulnerabilities have been detected in the API and management interface on Cisco Expressway and Cisco TelePresence Video Communication Server (VCS) equipment. These weaknesses allow remote attackers to have read and write permissions on application files and execute remote code on the system with root privileges, this is why Cisco is asking customers to update the operating systems of these elements promptly. In addition, a vulnerability was discovered in the Cisco Identity Service Engine (Cisco ISE) that will allow a denial of authentication service on the RADIUS system.
With a critical severity, two different issues had been detected by Cisco’s internal research team (Advanced Security Initiatives Group (ASIG)) on Cisco Expressway and Cisco VCS elements. These vulnerabilities classified with the following CVE (CVE-2022-20754 and CVE-2022-20755) are independent and do not require one to be used for the other to work. In the first case, the weakness was found in the API of these two tools and might allow the cybercriminal to perform a cross-directory attack by reaching unauthorized system spaces where he could read and write system files, all this with root permissions. For the second case, the weakness is located on the web administration system of the indicated systems and might allow an authenticated remote attacker to execute any command with root permissions.
In addition to these vulnerabilities, a vulnerability has been published on the Cisco Identity Service Engine (Cisco ISE) system that could generate a denial of service. This vulnerability, which has the identifier CVE-2022-20756, would allow the attacker to generate authentication request packets on the network that has this service connected to a RADIUS server, blocking the authentication process and causing timeouts on all other elements that try to connect, causing a denial of service. It is crucial to point out that this only applies if there is a RADIUS server enabled, for authentications against TACACS servers, this problem does not occur. Given that to restore the affected service in the event of the attack it is necessary to restart the node, Cisco has generated a series of patches that they suggest applying as soon as possible.
Recommendations
For the three behaviors indicated, it is advisable to perform the respective upgrade to a non-vulnerable version and, in doubtful cases, contact your Cisco vendor to determine if a detailed system review is necessary.
Use cases *:
- Reconnaissance and Vulnerabilities.
- Brute Force Verification.
- Activity Tracking of a possible Zero-Day Attack.
- Network DoS Activity Detected.
*To have these detections, the client must have contracted SOC services.
For more details, you can consult the following sources associated with the news:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-dos-JLh9TxBp