Cisco Security Advisory
Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X
-
The Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software supports the relay of media connections through a firewall using proxy services. As a result of this feature, interfaces such as the Cisco Expressway web administrative interface may become accessible from external networks.
At the time of publication, documentation of the feature did not properly explain that users are able to bypass firewall protections that are designed to restrict access to the Cisco Expressway web administrative interface. However, an attacker must have credentials sufficient to use TURN services to be able to send network requests to the web administrative interface.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV
-
Vulnerable Products
This issue impacts Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) with the TURN server feature enabled.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected.
Cisco has confirmed that Cisco Expressway Series and Cisco TelePresence VCS systems that do not have the TURN server feature enabled are not affected.
-
The Cisco Expressway IP Port Usage Configuration Guide recommends firewall configuration to prevent access to administrative ports from external networks. However, when TURN services are enabled, administrative ports are accessible through the TURN server from external networks. Customers should be aware that enabling the TURN services exposes administrative ports on the Cisco Expressway Series or Cisco TelePresence VCS host.
-
There are no workarounds that address this issue.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the issue that is described in this advisory.
-
Cisco would like to thank Christian Mehlmauer of WienCERT-IT-Security in the City of Vienna for reporting this issue.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 2.0 Changed the advisory SIR from Medium to Informational. Updated throughout to explain that this not a vulnerability. Removed the Fixed Software section. Summary, Vulnerable Products, Details, and Fixed Software Final 2021-JAN-20 1.1 Included additional information about the vulnerable configuration. Affected Products Final 2020-NOV-25 1.0 Initial public release. — Final 2020-NOV-18
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.