cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
215
Helpful
7
Replies

Latest Cisco Expressway / VCS Vulnerability

Hes
Beginner
Beginner

The following vulnerability seems to be accessible only via the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS.

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk

 

However the Cisco Security Advisory is somewhat unclear if this then still can be exploited as it states “There are no workarounds that address these vulnerabilities.”

One would think that disabling access to the web-based management interface would be sufficient?

7 Replies 7

b.winter
Advocate
Advocate

Why don't you just upgrade the Expressway, if it is possible?

The upgrade of Expressway is one of the easiest ones in all the Cisco UC environment.

Yes indeed. It's the "if possible" part
It's for a company with multi-layered management team and it's also holiday season so currently there are little people that are able to make decisions on this (the rest went skiing :-))
So would be great if Cisco could state that it's fine to upgrade at a somewhat later time if the management interfaces are closed off.

But how would you close the "web-based" management interfaces?

I couldn't think of any settings in the GUI (probably also no command via CLI, but haven't checked that)

There is a firewall in front of the VCSes. 

Also under System > Protection > Firewall rules you can set up rules on the VCS itself.

Ok, yes, but that's the normal setup with the firewalls.

But still, you can't disable the full web service. If you would block the traffic (e.g. 443), then you won't be able to manage it via GUI or will cut of your MRA feature (on port 8443).

You could re-configure the GUI port to e.g. 7443, but then this port is open again.

Ah yes. On the VCS firewall rules you need can only allow, block and drop.
On the "real" firewall there you can block everything except trusted address.

Still you would not really shutdown the web service and as such you would be affected by the defect.

Having rules in place to limit traffic to the bare minimum for the service to work is best practices. Part of this would definitely be to only allow access to the web UI from internal sources.



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: