Cisco has addressed privilege escalation vulnerabilities that affect Cisco Expressway Series and Cisco TelePresence Video Communication Server. CVE-2023-20105 and CVE-2023-20192 have been given Critical and High severity ratings with a CVSS score of 9.6 and 8.4, respectively.
CVE-2023-20105 was encountered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG).
CVE-2023-20105 could allow an attacker with read-only Administrator permissions to elevate their privileges to read-write Administrator permissions on the target system.
CVE-2023-20192 may allow attackers to elevate their privileges from read-only Administrator-level CLI credentials to read-write Administrator-level credentials on the affected system.
CVE-2023-20105: Cisco Expressway Series and Cisco TelePresence VCS Privilege Escalation Vulnerability
The vulnerability existing in the change password functionality of Cisco Expressway Series and Cisco TelePresence VCS is caused by incorrect handling of password change requests.
An authenticated remote attacker could exploit this vulnerability by logging into the application as a read-only administrator and sending a specially crafted request to the web-based administration interface. An attacker could modify the passwords of any user on the network, including the read-write Administrator, and then impersonate that user on successful exploitation.
CVE-2023-20192: Cisco Expressway Series and Cisco TelePresence VCS Privilege Escalation Vulnerability
The vulnerability existing in the privilege management functionality of Cisco Expressway Series and Cisco TelePresence VCS arises due to the incorrect implementation of user role permissions.
An authenticated, local attacker may exploit this vulnerability by logging into the application as a read-only CLI administrator and issuing commands usually reserved for administrators with read-write privileges. A successful attack could allow an attacker to execute additional commands beyond their access level, including modifying system configuration parameters.
- Cisco TelePresence VCS Release before version 14.3.0
- Cisco TelePresence VCS Release before version 14.2.1
Cisco has released a Cisco TelePresence VCS Release version 14.3.0 and Cisco TelePresence VCS Release version 14.2.1 to patch the vulnerabilities.
Customers can refer to the Cisco Security Advisory (cisco-sa-expressway-priv-esc-Ls2B9t7b) for information about the vulnerabilities.
Workaround for CVE-2023-20192
Disable CLI access for read-only users. CLI access is disabled by default for read-only administrators.
Qualys customers can scan their devices with QIDs 38897 and 38898 to detect vulnerable assets.
Note: The QIDs only work for Cisco TelePresence Video Communication Server.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.