Vulnslist

There are no workarounds that address this vulnerability.

While the following mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Firewall Rule Modifications
Access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should be restricted to trusted networks. Administrators can restrict access to the management ports (HTTPS/SSH) within the firewall rules on the device or by using an external firewall. The web UI port numbers can also be modified in the configuration.

As a best practice, access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should not be exposed to the internet. For additional information, see the Intrusion Protection https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_network-and-system-settings.html#reference_749C6B6E7566A37934C9AD39ED91E612 section of the Cisco Expressway Administrator Guide https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html .
Dedicated Management Interface
As a best practice, access to the management plane of Cisco Expressway Series and Cisco TelePresence VCS should not be exposed to the internet. Beginning with Release X12.7, the product introduced a Dedicated Management Interface (DMI). Administrators can enable the DMI and implement the following configuration:

Allow the DMI to be the only interface used for management
Configure the DMI to be accessed only from trusted segments

For additional information, see Configuring the Dedicated Management Interface (DMI) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_network-and-system-settings.html#reference_5EB4447A6E9556705392D8970EC2EA50 section of the Cisco Expressway Administrator Guide https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html .
Client Certificate-Based Security
This vulnerability can be exploited only by an authenticated administrator. Using client authentication certificates helps prevent brute forcing of the administrative passwords. For additional information, see the Configuring Certificate-Based Authentication https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html#reference_BCD936F444AADC9C4311E0B1820A89AD section of the Cisco Expressway Administrator Guide https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html .