Cisco SSO authentication bug patched

By

BroadWorks platforms vulnerable.

Cisco has announced patches for a critical credential forgery bug in some of its BroadWorks platforms.

Cisco SSO authentication bug patched

The networking vendor said CVE-2023-20238 affects the single sign-on implementation used by its BroadWorks Xtended Services platform and BroadWorks application delivery platform.

The bug “could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system”, the advisory stated.

An attacker using a valid user ID to authenticate with forged credentials could commit toll fraud, the advisory said, or “execute commands at the privilege level of the forged account” – all the way up to administrator level.

At that level, “the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users.”

The two BroadWorks platforms are affected if they have any of the following applications enabled: AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp, PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, or Xsi-VTR," Cisco said.

Users of BroadWorks Application Delivery and Xtended Services version 22 or below need to migrate to a fixed release; a patch is available for users on version 23 branches.

In a separate advisory, Cisco also announced a high-severity denial-of-service bug in its Identity Services Engine (ISE), CVE-2023-20243.

The ISE’s RADIUS message processor, present in a number of network access devices, can be crashed with a crafted packet.

Another four less severe bugs were patched in Cisco’s latest cycle.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter

CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Log In

  |  Forgot your password?