Cisco SSO authentication bug patched

By

BroadWorks platforms vulnerable.

Cisco has announced patches for a critical credential forgery bug in some of its BroadWorks platforms.

Cisco SSO authentication bug patched

The networking vendor said CVE-2023-20238 affects the single sign-on implementation used by its BroadWorks Xtended Services platform and BroadWorks application delivery platform.

The bug “could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system”, the advisory stated.

An attacker using a valid user ID to authenticate with forged credentials could commit toll fraud, the advisory said, or “execute commands at the privilege level of the forged account” – all the way up to administrator level.

At that level, “the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users.”

The two BroadWorks platforms are affected if they have any of the following applications enabled: AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp, PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, or Xsi-VTR," Cisco said.

Users of BroadWorks Application Delivery and Xtended Services version 22 or below need to migrate to a fixed release; a patch is available for users on version 23 branches.

In a separate advisory, Cisco also announced a high-severity denial-of-service bug in its Identity Services Engine (ISE), CVE-2023-20243.

The ISE’s RADIUS message processor, present in a number of network access devices, can be crashed with a crafted packet.

Another four less severe bugs were patched in Cisco’s latest cycle.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?