Cisco Web-Based Management Interface Vulnerability Allows Privilege Escalation

Cisco Web-Based Management Interface Vulnerability Allows Privilege Escalation

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Cisco Web-Based Management Interface Vulnerability Allows Privilege Escalation

Information:

     Cisco Web-Based Management Interface is an embedded GUI-based device-management tool that provides the ability to provision the device, to simplify device deployment and manageability, and to enhance the user experience. It comes with the default image, so there is no need to enable anything or install any license on the device. You can use WebUI to build configurations, and to monitor and troubleshoot the device without having CLI expertise. This chapter includes the these sections

Incident:

  Cisco has disclosed a critical vulnerability in the JSON-RPC API feature used by the web-based management interfaces of several products, including Cisco Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers.

  The flaw tracked as CVE-2024-20381 could allow authenticated remote attackers to modify the configuration of affected devices and escalate privileges.

  The vulnerability stems from improper authorization checks on the JSON-RPC API. Attackers with sufficient privileges to access the vulnerable application or device could exploit this issue by sending malicious requests to the API.

  Successful exploitation would allow attackers to make unauthorized changes to the device configuration, such as creating new user accounts or elevating their privileges.

Recommendation:

  This flaw impacts the following Cisco products regardless of configuration:

   : Optical Site Manager

Cisco Optical Site Manager Release

First Fixed Release

Earlier than 24.3

24.3.1

 : Crosswork NSO

Cisco Crosswork NSO Release

First Fixed Release

5.5

5.5.10.1
5.6

5.6.14.3
5.7  5.7.16
5.8  5.8.13.1
 6.0 6.0.13
 6.1

6.1.8.1
6.1.9
6.2   6.2.3

6.3

Not affected.

  : RV340 Dual WAN Gigabit VPN Routers

-Customers are advised to upgrade to an appropriate fixed release. However, Cisco will not provide patches for the RV340 routers as they have reached end-of-life.

Recommendation:

   It also affects ConfD if the JSON-RPC API feature is enabled.

  To determine if the JSON-RPC API feature is enabled in ConfD, check the confd.conf configuration file for the webui setting. If webui is set to true and valid TCP or SSL transports and ports are configured, the application web server can process JSON-RPC requests, but it may be vulnerable.

 Vulnerable ConfD versions include:

ConfD Release

  Affected Releases

First Fixed Release

7.5

  7.5 through 7.5.10.1

7.5.10.2

7.7

  7.7 through 7.7.15

7.7.16
 8.0  8.0 through 8.0.12

8.0.13


The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

 

References:

-https://cybersecuritynews.com/cisco-web-management-vulnerability/

-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp

-https://www.cisco.com/c/en/us/td/docs/routers/access/isr4400/software/configuration/xe-17/isr4400-sw-config-xe-17/using_the_management_interfaces.pdf

 

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2023-31016

2/11/2023

6/9/2024

NVIDIA vGPU software All versions prior to and including 16.1

execute arbitrary code

7.3

NVIDIA GPU Display Driver for Windows contains a vulnerability where an uncontrolled search path element may allow an attacker to execute arbitrary code, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

Updated Version 16.2

https://app.opencve.io/cve/CVE-2023-31016
2

CVE-2024-7969

21/8/2024

6/9/2024

Google Chrome
Before 128.0.6613.113

Type Confusion

8.8

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page

update to latest version

https://app.opencve.io/cve/CVE-2024-7969
3

CVE-2024-20439

4/9/2024

6/9/2024

Cisco Smart Licensing Utility

remote attacker

9.8

A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.

no workarounds

https://app.opencve.io/cve/CVE-2024-20439
4

CVE-2024-24986

14/8/2024

16/8/2024

Intel® 800 Series Ethernet Linux Kernel Mode Driver before version 28.3

authenticated user

9.3

Improper access control in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

Update to the Intel® Ethernet Adapter Complete Driver Pack versions 28.3 or later.

https://app.opencve.io/cve/CVE-2024-24986
5

CVE-2020-6101

20/7/2020

4/8/2024

Amd Radeon Directx 11 Driver Atidxx64.dll 26.20.15019.19000

execute arbitrary code

9.9

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host.

Update to version higher than 26.20.15019.19000

https://app.opencve.io/cve/CVE-2020-6101

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

09/09/2024

Phishing, malware

     In August 2024, the hacker group known as "Blind Eagle" targeted an insurance company in Colombia. The attack involved two primary methods: phishing and malware. The phishing component consisted of fraudulent emails that appeared to be from reputable sources such as banks or other trusted entities, designed to deceive recipients into disclosing sensitive information. Concurrently, the group deployed malware, a type of malicious software concealed within files or websites, to infiltrate the victims' systems and access critical company data. This included personal information of customers, such as insurance details and financial records. As a result of this attack, the insurance company experienced operational disruptions and faced significant risks related to the exposure or misuse of customer data, potentially leading to financial repercussions and a loss of customer confidence.

1.Implement training programs to enhance knowledge and awareness of phishing and malware threats.

2.Consistently apply patches and updates to software to address and rectify security vulnerabilities.

3.Activate Multi-Factor Authentication (MFA) for accessing systems and sensitive data.

Ref : https://thehackernews.com/2024/09/blind-eagle-targets-colombian-insurance.html

24 September 2024

Viewed 121 time

Engine by shopup.com