Cisco Issues Urgent Fix for Authentication Bypass Bug Affecting BroadWorks Platform
Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition.
The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It’s described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform.
Successful exploitation of the vulnerability — a weakness in the single sign-on (SSO) implementation and discovered during internal testing — could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.
“This vulnerability is due to the method used to validate SSO tokens,” Cisco said. “An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or to execute commands at the privilege level of the forged account.”
“If that account is an Administrator account, the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users. To exploit this vulnerability, the attacker would need a valid user ID that is associated with an affected Cisco BroadWorks system.”
The issue, per the company, impacts the two BroadWorks products and have one of the following apps enabled: AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp, PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, or Xsi-VTR.
Fixes for the vulnerability are available in version AP.platform.23.0.1075.ap385341, 2023.06_1.333, and 2023.07_1.332.
Also resolved by Cisco is a high-severity flaw in the RADIUS message processing feature of Cisco Identity Services Engine (CVE-2023-20243, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets.
“This vulnerability is due to improper handling of certain RADIUS accounting requests,” Cisco said. “A successful exploit could allow the attacker to cause the RADIUS process to unexpectedly restart, resulting in authentication or authorization timeouts and denying legitimate users access to the network or service.”
CVE-2023-20243 impacts versions 3.1 and 3.2 of Cisco Identity Services Engine. It has been patched in versions 3.1P7 and 3.2P3. Other versions of the product are not susceptible.
Juniper Networks Addresses Severe BGP Flaw with Out-of-Band Update
The advisories come days after Juniper Networks shipped an out-of-band update for an improper input validation flaw in the Routing Protocol Daemon (rpd) of Junos OS and Junos OS Evolved, which allows an unauthenticated, network-based attacker to cause a DoS condition.
The vulnerability affects several Border Gateway Protocol (BGP) implementations, per security researcher Ben Cartwright-Cox, who made the discovery. Juniper Networks is tracking it as CVE-2023-4481 (CVSS score: 7.5), FRRouting as CVE-2023-38802, and OpenBSD OpenBGPd as CVE-2023-38283.
“When certain specific crafted BGP UPDATE messages are received over an established BGP session, one BGP session may be torn down with an UPDATE message error, or the issue may propagate beyond the local system which will remain non-impacted, but may affect one or more remote systems,” Juniper Networks said.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
“This issue is exploitable remotely as the crafted UPDATE message can propagate through unaffected systems and intermediate BGP speakers. Continuous receipt of the crafted BGP UPDATE messages will create a sustained denial-of-service (DoS) condition for impacted devices.”
However for the attack to be successful, a remote attacker is required to have at least one established BGP session. The vulnerability has been fixed in Junos OS 23.4R1 and Junos OS Evolved 23.4R1-EVO.
Unpatched Tenda Modem Router Vulnerability
In a related development, CERT Coordination Center (CERT/CC) detailed an unpatched authentication bypass vulnerability in Tenda’s N300 Wireless N VDSL2 Modem Router (CVE-2023-4498) that could allows a remote, unauthenticated user to access sensitive information via a specially crafted request.
“Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication,” CERT/CC said. “An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.”
In the absence of a security update, it’s advised that users disable both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router.