Cisco: DoS and privilege escalation vulnerabilities in IOS and other products

Cisco has released updates that close security vulnerabilities in several products. Attackers can use the vulnerabilities to extend their rights or carry out denial-of-service attacks, among other things.

Cisco has published a total of eight security bulletins on the newly identified vulnerabilities. Of these, six are considered high risk and two medium risk. Cisco's IOS XR software has been hit particularly hard. The most serious vulnerability allows logged-in local attackers to gain read and write access to the underlying operating system and thereby obtain root privileges(CVE-2024-20398, CVSS 8.8, risk"high").

Unauthenticated attackers from the network can also use manipulated packets to abuse a vulnerability in Multicast Traceroute Version 2(mtrace2) in order to fill the memory for incoming UDP packets to the limit, which can lead to a denial of service (CVE-2024-20304, CVSS 8.6, high). Four further vulnerabilities affect Cisco's IOS XR, admins will find the security reports linked below, which also point the way to the updated software and provide a more detailed breakdown of which versions are affected.

Other Cisco products with serious security leaks

In the web-based administration of Cisco's Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers, logged-in attackers from the network can change the configuration without authorization. Due to inadequate authorization checks in the JSON-RPC API function, attackers with authorization to access the vulnerable app of the device can, for example, create new user accounts or increase their own rights (CVE-2024-20381, CVSS 8.8, high).

In addition, registered attackers can inject commands from the network into Cisco's Routed Passive Optical Network (PON) controllers, which run as Docker containers on hardware supported by Cisco's IOS XR. This allows them to execute arbitrary commands on vulnerable systems and thus obtain a plaintext password, among other things (CVE-2024-20483, CVE-2024-20489; CVSS 8.4, high).

Cisco states in the new security notifications that it has no knowledge of public knowledge of the vulnerability or of active abuse. The security notifications are sorted by individual products and by severity below:

• Cisco IOS XR Software CLI Privilege Escalation Vulnerability (CVE-2024-20398, CVSS 8.8, Risk"High")
• Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability (CVE-2024-20304, CVSS 8.6, high)
• Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability (CVE-2024-20317, CVSS 7.4, high)
• Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability (CVE-2024-20406, CVSS 7.4, high)
• Cisco IOS XR Software CLI Arbitrary File Read Vulnerability (CVE-2024-20343, CVSS 5.5, medium)
• Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability (CVE-2024-20390, CVSS 5.3, medium)
• Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability (CVE-2024-20381, CVSS 8.8, high)
• Cisco Routed Passive Optical Network Controller Vulnerabilities (CVE-2024-20483, CVE-2024-20489; CVSS 8.4, high)

IT managers should install the available updates quickly due to the usual exposure of the appliances and the threat level of the vulnerabilities. If this is not possible until later, the tips given in the respective workarounds section should be implemented. Although there are no concrete countermeasures for any of the vulnerabilities apart from updating with new software, the risk can be partially reduced by the suggested configuration adjustments.

Last week, Cisco had already patched several vulnerabilities in various products. These included critical security gaps in the Smart Licensing Utility, which contained a backdoor: static admin access data allowed attackers to access the instances without actually logging in.

(dmk)