Read Time:1 Minute, 21 Second
Cisco has recently disclosed a severe vulnerability (CVE-2024-20381) impacting the JSON-RPC API feature used by various web-based management interfaces in its products. This flaw poses a significant risk to organizations utilizing these platforms.
Vulnerability Details
The vulnerability arises from improper authorization checks on the JSON-RPC API. Remote attackers with sufficient privileges can exploit this issue by sending malicious requests, allowing them to:
- Modify device configurations
- Create new user accounts
- Elevate their privileges
Affected Products
The following Cisco products are vulnerable regardless of configuration: - Crosswork NSO
- Optical Site Manager
- RV340 Dual WAN Gigabit VPN Routers
ConfD is also affected if the JSON-RPC API feature is enabled.
Mitigation
Cisco has released software updates to address this vulnerability for Crosswork NSO, Optical Site Manager, and ConfD. Customers are strongly advised to upgrade to the fixed releases immediately.
Unfortunately, Cisco will not provide patches for RV340 routers as they have reached their end-of-life.
Detection
To determine if the JSON-RPC API feature is enabled in ConfD, check the confd.conf configuration file for the ‘webui’ setting. If ‘webui’ is set to ‘true’ and valid transports and ports are configured, the web server may be vulnerable to attack.
Best Practices
To minimize the impact of such vulnerabilities, organizations should adhere to cybersecurity best practices: - Implement least-privilege access controls
- Segment networks to limit the spread of attacks
- Regularly monitor and update system software
- Educate users on security awareness
Conclusion
This critical vulnerability highlights the importance of maintaining up-to-date software and adhering to security best practices. Organizations using affected Cisco products should prioritize applying the necessary patches to protect their networks from potential exploitation.
