Headline
CVE-2023-20210: Cisco Security Advisory: Cisco BroadWorks Privilege Escalation Vulnerability
A vulnerability in Cisco BroadWorks could allow an authenticated, local attacker to elevate privileges to the root user on an affected device. The vulnerability is due to insufficient input validation by the operating system CLI. An attacker could exploit this vulnerability by issuing a crafted command to the affected system. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, an attacker must have valid BroadWorks administrative privileges on the affected device.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
BroadWorks Application Delivery Platform, Database Troubleshooting Server, Media Server, and Service Control Function Server
First Fixed Release
Release Independent (RI)
Rel_2023.05_1.290
Cisco BroadWorks Application Server
First Fixed Release
22.0 and earlier
Migrate to a fixed release.
23.0
AP.platform.23.0.1075.ap385266
24.0
AP.as.24.0.944.ap385266
Release Independent (RI)
Rel\_2023.05\_1.290
BroadWorks Database Server, Execution Server, Network Database Server, and Network Function Manager
First Fixed Release
22.0 and earlier
Migrate to a fixed release.
Release Independent (RI)
Rel\_2023.05\_1.290
BroadWorks Network Server, Profile Server, and Xtended Services Platform
First Fixed Release
22.0 and earlier
Migrate to a fixed release.
23.0
AP.platform.23.0.1075.ap385266
Release Independent (RI)
Rel\_2023.05\_1.290
The following products have reached the end-of-software-maintenance point in the end-of-life process. Cisco has not and will not release software updates to address this vulnerability for these products.
* BroadWorks Messaging Server
* BroadWorks Sharing Server
* BroadWorks Video Server
* BroadWorks WebRTC Server
See the Cisco End-of-Life Policy for more information.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.