There are no workarounds that address this vulnerability.
While the following mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Firewall Rule Modifications
Access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should be restricted to trusted networks. Administrators can restrict access to the management ports (HTTPS/SSH) within the firewall rules on the device or by using an external firewall. The web UI port numbers can also be modified in the configuration.
As a best practice, access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should not be exposed to the internet. For additional information, see the Intrusion Protection ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_network-and-system-settings.html#reference_749C6B6E7566A37934C9AD39ED91E612"] section of the Cisco Expressway Administrator Guide ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html"].
Dedicated Management Interface
As a best practice, access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should not be exposed to the internet. Beginning with Release X12.7, the product introduced a Dedicated Management Interface (DMI). Administrators can enable the DMI and implement the following configuration:
Allow the DMI to be the only interface used for management
Configure the DMI to be accessed only from trusted segments
For additional information, see Configuring the Dedicated Management Interface (DMI) ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_network-and-system-settings.html#reference_5EB4447A6E9556705392D8970EC2EA50"] section of the Cisco Expressway Administrator Guide ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html"].
Client Certificate-Based Security
This vulnerability can be exploited only by an authenticated administrator. Using client authentication certificates helps prevent brute forcing of the administrative passwords. For additional information, see the Configuring Certificate-Based Authentication ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html#reference_BCD936F444AADC9C4311E0B1820A89AD"] section of the Cisco Expressway Administrator Guide ["https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html"].