Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition.
The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It’s described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform.
Successful exploitation of the vulnerability — a weakness in the single sign-on (SSO) implementation and discovered during internal testing — could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.
“This vulnerability is due to the method used to validate SSO tokens,” Cisco said. “An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or to execute commands at the privilege level of the forged account.”
“If that account is an Administrator account, the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users. To exploit this vulnerability, the attacker would need a valid user ID that is associated with an affected Cisco BroadWorks system.”
The issue, per the company, impacts the two BroadWorks products and have one of the following apps enabled: AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp, PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, or Xsi-VTR.
Fixes for the vulnerability are available in version AP.platform.23.0.1075.ap385341, 2023.06_1.333, and 2023.07_1.332.
Also resolved by Cisco is a high-severity flaw in the RADIUS message processing feature of Cisco Identity Services Engine (CVE-2023-20243, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets.
“This vulnerability is due to improper handling of certain RADIUS accounting requests,” Cisco said. “A successful exploit could allow the attacker to cause the RADIUS process to unexpectedly restart, resulting in authentication or authorization timeouts and denying legitimate users access to the network or service.”
CVE-2023-20243 impacts versions 3.1 and 3.2 of Cisco Identity Services Engine. It has been patched in versions 3.1P7 and 3.2P3. Other versions of the product are not susceptible.
Rounding off the list from Cisco is an unpatched medium-severity flaw (CVE-2023-20269, CVSS score: 5.0) in Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software that the company said could allow an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
Alternatively, it could permit an unauthenticated, remote attacker to easily conduct a brute-force attack in an attempt to identify valid username and password combinations and then use them to establish an unauthorized remote access VPN session.
The update follows a warning from cybersecurity firm Rapid7 last month about a surge in brute-force activity aimed at Cisco ASA SSL VPN appliances in order to deploy Akira and LockBit ransomware, indicating CVE-2023-20269 is being actively exploited in the wild to gain unauthorized access.
Juniper Networks Addresses Severe BGP Flaw with Out-of-Band Update
The advisories come days after Juniper Networks shipped an out-of-band update for an improper input validation flaw in the Routing Protocol Daemon (rpd) of Junos OS and Junos OS Evolved, which allows an unauthenticated, network-based attacker to cause a DoS condition.
The vulnerability affects several Border Gateway Protocol (BGP) implementations, per security researcher Ben Cartwright-Cox, who made the discovery. Juniper Networks is tracking it as CVE-2023-4481 (CVSS score: 7.5), FRRouting as CVE-2023-38802, and OpenBSD OpenBGPd as CVE-2023-38283.
“When certain specific crafted BGP UPDATE messages are received over an established BGP session, one BGP session may be torn down with an UPDATE message error, or the issue may propagate beyond the local system which will remain non-impacted, but may affect one or more remote systems,” Juniper Networks said.
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
“This issue is exploitable remotely as the crafted UPDATE message can propagate through unaffected systems and intermediate BGP speakers. Continuous receipt of the crafted BGP UPDATE messages will create a sustained denial-of-service (DoS) condition for impacted devices.”
However for the attack to be successful, a remote attacker is required to have at least one established BGP session. The vulnerability has been fixed in Junos OS 23.4R1 and Junos OS Evolved 23.4R1-EVO.
Unpatched Tenda Modem Router Vulnerability
In a related development, CERT Coordination Center (CERT/CC) detailed an unpatched authentication bypass vulnerability in Tenda’s N300 Wireless N VDSL2 Modem Router (CVE-2023-4498) that could allows a remote, unauthenticated user to access sensitive information via a specially crafted request.
“Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication,” CERT/CC said. “An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.”
In the absence of a security update, it’s advised that users disable both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router.
Update
The CERT Coordination Center (CERT/CC), on September 12, 2023, released an advisory warning that the security vulnerability impacting multiple BGP implementations causes susceptible routers to “de-peer” upon receiving a specially crafted BGP UPDATE message and result in route flapping.
“A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update was received,” CERT/CC said. “Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.”
Outside of Juniper Networks, FRRouting, and OpenBGPd, the flaw also affects other vendors like D-Link, EXOS (CVE-2023-40457), Red Hat, and Ubuntu.
