REDLEGG BLOG

Emergency Security Bulletin - Multiple Cisco Vulnerabilities

10/2/24 6:09 PM  |  by RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Cisco Meraki MX and Z Series VPN DoS Vulnerability

Identifier: CVE-2024-20501
Exploit or POC: No known exploit or proof-of-concept reported Update:  CVE-2024-20501 – Security Update Guide available at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2

Description: CVE-2024-20501 is a vulnerability affecting the Cisco AnyConnect VPN server on Meraki MX and Z Series devices, allowing an unauthenticated remote attacker to trigger a Denial of Service (DoS) condition through crafted HTTPS requests.

CVSS Score: 8.6 (High)

Mitigation recommendation: Patching is currently the only method of mitigation. Please update to the latest software versions listed in the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2.


Cisco Meraki SSL VPN DoS Vulnerability

Identifier: CVE-2024-20498
Exploit or PoC: No known exploit or proof-of-concept has been reported by Cisco.
Update: CVE-2024-20498 – Security Update Guide available at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2

Description: CVE-2024-20498 is a vulnerability affecting the Cisco AnyConnect VPN server on Cisco Meraki MX and Z Series Teleworker Gateway devices. This vulnerability can be exploited by unauthenticated remote attackers to cause a Denial of Service (DoS) condition through crafted HTTPS requests. The attack results in the restart of the VPN service, which disconnects established SSL VPN sessions and requires users to reauthenticate. If the attack is persistent, it could prevent new SSL VPN connections from being established. Once the attack traffic ceases, the server recovers automatically without manual intervention.

CVSS Score: 8.6 (High)
The vulnerability is assigned a base CVSS v3.1 score of 8.6, indicating high severity due to its network attack vector and its significant impact on availability.

Mitigation Recommendation:
Patching is currently the only method of mitigation. It is recommended to immediately update the Cisco Meraki MX and Z Series devices to the latest software versions listed in the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2No other workarounds are available aside from applying the provided software updates.


Cisco Meraki AnyConnect VPN DoS Vulnerability

Identifier: CVE-2024-20499
Exploit or PoC: Currently, no known exploit or proof-of-concept has been identified by Cisco.
Update: CVE-2024-20499 – Security Update Guide available at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2

Description: CVE-2024-20499 describes multiple vulnerabilities in the Cisco AnyConnect VPN server on Cisco Meraki MX and Z Series Teleworker Gateway devices. These vulnerabilities allow an unauthenticated remote attacker to trigger a Denial of Service (DoS) condition in the AnyConnect VPN service. The issue arises due to insufficient validation of client-supplied parameters when establishing an SSL VPN session. Exploitation involves sending crafted HTTPS requests to the VPN server, causing the VPN service to restart, which interrupts active SSL VPN connections and forces users to reauthenticate. A sustained attack could prevent new connections from being established; however, the VPN server automatically recovers when the attack stops.

CVSS Score: 8.6 (High)

Mitigation recommendation: Patching is currently the only mitigation method available. It is strongly advised to update your Cisco Meraki MX and Z Series devices to the latest software versions as detailed in the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2No alternative workarounds have been provided.


Cisco Nexus Dashboard Fabric Controller (NDFC) Command Injection Vulnerability

Identifier: CVE-2024-20432
Exploit or PoC: Currently, no known exploit or proof-of-concept has been reported.
Update: The details about a patch or update for CVE-2024-20432 have not been explicitly mentioned. However, Cisco is expected to provide guidance on remediation once available.

Description: CVE-2024-20432 is a critical vulnerability in the REST API and web UI of the Cisco Nexus Dashboard Fabric Controller (NDFC). It allows an authenticated, low-privileged remote attacker to perform a command injection attack on an affected device. The vulnerability results from improper user authorization and insufficient validation of command arguments, enabling the execution of arbitrary commands on the device's command line interface (CLI) with network-admin privileges. This poses a high risk to the confidentiality, integrity, and availability of the affected systems.

CVSS Score: 9.9 (Critical)

Mitigation recommendation:
Currently, no specific mitigation has been provided. Best practices would include:

  1. Limiting access to the REST API and web UI to only essential users.
  2. Implementing robust authentication mechanisms to ensure that only authorized users can access these interfaces.
  3. Monitoring systems for any suspicious activity or unauthorized access attempts.
  4. Ensuring the Cisco Nexus Dashboard Fabric Controller software is updated with the latest security patches once they are released.

More information and potential updates can be found at Cisco's security advisory site.


Cisco Small Business VPN Routers Privilege Escalation Vulnerability  

Identifier: CVE-2024-20393  
Exploit or PoC: Currently, there is no known exploit or proof-of-concept available for this vulnerability.  
Update: Visit Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms for the latest update and guidance on patching.

Description: CVE-2024-20393 is a vulnerability found in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. This flaw can allow an authenticated remote attacker to elevate their privileges from a guest to an admin on an affected device. The issue arises because the web interface exposes sensitive information, enabling attackers to send specially crafted HTTP requests to the router. A successful exploit could lead to full device control, modification of configurations, access to sensitive data, or disruption of network operations.

CVSS Score: 8.8 (High)

Mitigation recommendation:  

  • Currently, no specific patch is available. It is recommended to limit access to the web-based management interface to only trusted networks and users.
  • Use strong authentication mechanisms to control access to the management interface.
  • Regularly check for updates from Cisco and apply security patches as soon as they are available.
  • Implement network segmentation to ensure affected devices are isolated from sensitive parts of the network.

Please refer to Cisco's Security Advisory for any further information and updates on how to mitigate this vulnerability.


Cisco Nexus Dashboard Fabric Controller (NDFC) Path Traversal Vulnerability  

Identifier: CVE-2024-20449  
Exploit or PoC: Currently, there is no known public exploit or proof-of-concept available.  
Update: CVE-2024-20449 – Cisco Security Update Guide can be found at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-ndfc-ptrce-BUSHLbp.

Description: CVE-2024-20449 is a high-severity vulnerability affecting the Cisco Nexus Dashboard Fabric Controller (NDFC). The vulnerability allows an authenticated remote attacker with low privileges to execute arbitrary code on an affected device. The flaw arises due to improper path validation, which can be exploited by using the Secure Copy Protocol (SCP). Attackers can exploit this vulnerability through path traversal techniques to upload malicious code, granting them the ability to execute arbitrary code within a specific container with root privileges.

CVSS Score: 8.8 (High)

Mitigation Recommendation:  
Currently, no specific patch has been provided for this vulnerability. However, mitigations may include implementing proper input validation and restricting access to SCP functionality to minimize potential exposure. It is also advised to monitor Cisco's advisories regularly for any updates or available security patches.

For more details and updates, please refer to Cisco's Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-ndfc-ptrce-BUSHLbp

Get Blog Updates

Related Articles

Emergency Security Bulletin: SonicWall SMA1000 Appliances Vulnerability Bulletins

Emergency Security Bulletin: SonicWall SMA1000 Appliances

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Emergency Security Bulletin: Multiple SAP NetWeaver Vulnerabilities Vulnerability Bulletins

Emergency Security Bulletin: Multiple SAP NetWeaver Vulnerabilities

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Critical Security Vulnerabilities Bulletin