Security updates: Cisco patches flaws in products across the board

Contents

With a good dozen security advisories, Cisco is fixing a number of gaps in VPN routers, security appliances from the Meraki series, blade centers and the cloud network management "Nexus Dashboard". There are software patches for the security gaps, but no workarounds – Admins should therefore update their devices.

Nexus Dashboard executes external commands

The most dangerous vulnerability affects the Nexus Dashboard Fabric Controller (NDFC), a software for managing network devices. The bug allows an attacker with a valid user account to execute arbitrary code on a device managed by a vulnerable NDFC instance. The commands can be injected both via the web interface and via the RESTful API – only the fact that a user account is required prevents CVE-2024-20432 from receiving the highest CVSS score. With a score of 9.9 points, the vulnerability is nevertheless critical.

A perpetrator can also use the Secure Copy Protocol (SCP) to inject their own code into network devices by bypassing the NDFC. To do this, he simply uploads it via SCP and takes advantage of an inadequate path check – the malicious commands are executed with the rights of the user "root" and give the vulnerability with CVE-ID CVE-2024-20449 a high risk and CVSS 8.8 out of 10.

Several other vulnerabilities in the Nexus dashboard (CVE-2024-20385, CVE-2024-20438, CVE-2024-20441, CVE-2024-20442, CVE-2024-20490, CVE-2024-20491, CVE-2024-20444 and CVE-2024-20448) pose a medium risk and range from TLS certificate problems to authorization flaws and information leaks.

Routers for small companies vulnerable

There are also gaps in the small business routers from Cisco. The router types RV340(W) and RV345(P) allow privileges to be extended (CVE-2024-30393, CVSS 8.8, high risk) and execute malicious code, which must be infiltrated by a user with existing admin rights (CVE-2024-20470, CVSS 4.7, medium risk).

If an attacker with administrator privileges injects routers RV042(G), RV320 and RV325 with manipulated HTTP packets via the web GUI (CVE-2024-20516, CVE-2024-20517, CVE-2024-20522, CVE-2024-20523, CVE-2024-20524, CVSS 6.8, medium risk), they can cause them to restart and lock out legitimate users in the process. He can also use the same procedure to execute commands with the privileges of the root system user on the devices (CVE-2024-20518, CVE-2024-20519, CVE-2024-20520 and CVE-2024-20521, CVSS 6.5, medium risk).

(Editor's note: Router names with suffixes in brackets refer to routers with and without suffixes).

Gaps in other products

A security problem in the AnyConnect VPN server of Meraki MX and Z appliances (Cisco has published the exact list of the 25 affected device types in the security notice) allows outsiders to terminate VPN sessions or prevent them from being established. The manufacturer has found several variants of such an attack and fixed them in updates for the Anyconnect servers. The vulnerabilities have the CVE IDs CVE-2024-20498, CVE-2024-20499, CVE-2024-20500, CVE-2024-20501, CVE-2024-20502 and CVE-2024-20513, and their severity ranges from medium to high. It is therefore advisable to apply the patch in any case.

There are further vulnerabilities in the Cisco Identity Services Engine (CVE-2024-20515, medium risk), Cisco Expressway (CVE-2024-20492, medium risk) and the Redfish remote maintenance interface of the UCS blade centers from the types B, C and X series (CVE-2024-20365, medium risk), which the network vendor has fixed.

Patches are available for all vulnerabilities, which admins should apply quickly. All information can also be found on Cisco's overview page. In the past, exploits for Cisco vulnerabilities have emerged quickly and have been used by cybercrime groups.

(cku)