Cisco Web-Based Management Interface Vulnerability Allows Privilege Escalation

Cisco has disclosed a critical vulnerability in the JSON-RPC API feature used by the web-based management interfaces of several products, including Cisco Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers.

The flaw tracked as CVE-2024-20381 could allow authenticated remote attackers to modify the configuration of affected devices and escalate privileges.

The vulnerability stems from improper authorization checks on the JSON-RPC API. Attackers with sufficient privileges to access the vulnerable application or device could exploit this issue by sending malicious requests to the API.

Successful exploitation would allow attackers to make unauthorized changes to the device configuration, such as creating new user accounts or elevating their privileges.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Affected Products and Versions

This flaw impacts the following Cisco products regardless of configuration:

• Crosswork NSO
• Optical Site Manager
• RV340 Dual WAN Gigabit VPN Routers

It also affects ConfD if the JSON-RPC API feature is enabled.

Vulnerable ConfD versions include:

• 7.5 through 7.5.10.1
• 7.7 through 7.7.15
• 8.0 through 8.0.12

Cisco has released software updates that address this vulnerability for Crosswork NSO, Optical Site Manager, and ConfD. Customers are advised to upgrade to an appropriate fixed release. However, Cisco will not provide patches for the RV340 routers as they have reached end-of-life.

There are no workarounds available to mitigate this vulnerability. Cisco recommends that customers using affected products upgrade to a patched version as soon as possible.

Checking for the Vulnerability

To determine if the JSON-RPC API feature is enabled in ConfD, check the confd.conf configuration file for the webui setting. If webui is set to true and valid TCP or SSL transports and ports are configured, the application web server can process JSON-RPC requests, but it may be vulnerable.

While Cisco is unaware of any malicious exploitation of this vulnerability so far, customers are urged to assess their exposure and apply the necessary updates to protect their networks. As always, following security best practices like least-privilege access and network segmentation can help limit the impact of vulnerabilities.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar