CERT

Overview

The Indian Computer Emergency Response Team (CERT-In) has recently added two Cisco vulnerabilities to its catalog. Both vulnerabilities target Cisco products, with high severity ratings and potential for impacts on the confidentiality, integrity, and availability of affected systems. 

The first vulnerability, CVE-2024-20536, affects Cisco’s Nexus Dashboard Fabric Controller (NDFC), specifically versions 12.1.2 and 12.1.3. The flaw is found in the REST API endpoint and web-based management interface, and it could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.

The vulnerability arises due to insufficient input validation. An attacker with read-only privileges could exploit this flaw by sending specially crafted requests to the affected device’s REST API or management interface, bypassing input validation and potentially modifying or deleting data in the internal database. Exploiting this vulnerability could lead to denial of service (DoS) conditions and a significant disruption of operations.

The severity of the vulnerability is classified as high. It affects Cisco NDFC versions 12.1.2 and 12.1.3, making these systems particularly vulnerable to exploitation. The potential impact includes data manipulation, which could allow attackers to alter sensitive information and service disruption, potentially leading to system downtime. Furthermore, there is a risk of data leakage, where unauthorized individuals may access and expose confidential data stored within the affected systems.

This vulnerability does not affect Cisco NDFC when it is configured as a Storage Area Network (SAN) controller. However, for organizations using the affected versions of Cisco NDFC, the potential risks are significant, especially in terms of data integrity and availability.

CVE-2024-20484: Denial of Service in Cisco Enterprise Chat and Email (ECE)

The second vulnerability, CVE-2024-20484, affects Cisco Enterprise Chat and Email (ECE) versions 12.6 and earlier, running the External Agent Assignment Service (EAAS). This vulnerability could allow unauthenticated, remote attackers to trigger a Denial of Service (DoS) condition, disrupting the availability of the ECE system.

The vulnerability lies in the way Cisco ECE handles Media Routing Peripheral Interface Manager (MR PIM) traffic. An attacker could exploit this flaw by sending specially crafted MR PIM traffic, causing a failure in the MR PIM connection between Cisco ECE and Cisco Unified Contact Centre Enterprise (CCE). This failure leads to a denial-of-service condition, rendering the ECE system inoperable.

This issue primarily affects organizations using Cisco ECE for enterprise communication. A successful attack could lead to widespread disruptions, affecting internal communications and customer service operations.

Cisco’s Broader Vulnerability Landscape: A Year of Increased Threats

While CVE-2024-20484 and CVE-2024-20536 are the latest additions to the catalog of known vulnerabilities, Cisco has had a series of high-severity vulnerabilities throughout the year. In addition to these new vulnerabilities, Cyble recently reported on a critical flaw in the Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB), tracked as CVE-2024-20418. This vulnerability, with a CVSS score of 10.0 (the highest possible severity), allows attackers to gain root-level access to vulnerable Cisco devices.

Exploiting this flaw can enable unauthorized command execution on affected systems, making it one of the most dangerous vulnerabilities in Cisco’s product lineup this year. The CVE-2024-20418 vulnerability affects Cisco Catalyst Access Points operating in URWB mode, such as the Catalyst IW9165D, IW9165E, and IW9167E models. Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected device, injecting commands with root privileges, and gaining control over the device. Exploiting this vulnerability could lead to compromises in industrial and high-stakes environments.

Moreover, Cyble sensors have previously detected cyberattacks targeting the “/+CSCOE+/logon.html” URL, which is linked to Cisco ASA’s WebVPN Login Page. Vulnerabilities like XSS, path traversal, and HTTP response splitting could allow attackers to execute code, steal data, or disrupt services.

Conclusion 

The disclosure of these Cisco vulnerabilities, like CVE-2024-20484 and CVE-2024-20536, stresses the growing risk of exploitation in critical infrastructure, particularly in widely used systems like Cisco products. As Cyble and other threat intelligence firms have noted, cybercriminals are increasingly targeting known vulnerabilities, employing tactics such as brute-force attacks and leveraging the dark web to spread exploits. 

With vulnerabilities continuing to be discovered and actively targeted, organizations must prioritize patch management, implement strong security measures, and conduct regular vulnerability assessments. By staying on guard and proactive in updating systems, segmenting networks, and monitoring suspicious activity, businesses can better defend against online threats. 

The post CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure appeared first on Cyble.