CVE-2024-20381: Cisco Crosswork Network Services Orchestrator (NSO) and ConfD JSON-RPC API Vulnerability - Unauthorized Configuration Modifications

A new vulnerability, identified as CVE-2024-20381, has been discovered in the JSON-RPC API feature used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers. The vulnerability exists in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD, and if exploited, could allow an authenticated, remote attacker to modify the configuration of an affected application or device.

Details

This vulnerability arises due to inadequate authorization checks in the JSON-RPC API feature. An attacker with sufficient privileges to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device. Such modifications may include the creation of new user accounts or the elevation of the attacker's own privileges on an affected system.

Code Snippet

The following code snippet demonstrates a sample JSON-RPC request that an attacker might send to exploit this vulnerability:

{
    "jsonrpc": "2.",
    "method": "config.modify",
    "params": {
        "target": "running",
        "config": {
            "users": {
                "user": {
                    "name": "attacker",
                    "privilege": "admin",
                    "password": "P@sswrd"
                }
            }
        }
    },
    "id": 1
}

In this example, the attacker is trying to create a new user account with the name 'attacker', a password of 'P@sswrd', and administrative privileges.

For more information about this vulnerability, please refer to the following resources

1. Cisco Advisory
2. NVD - CVE-2024-20381

Exploit Details

To exploit this vulnerability, an attacker would need to have privileges sufficient to access the affected application or device. The attacker could then send malicious JSON-RPC requests to the API, causing unauthorized modifications to the configuration of the affected application or device.

Mitigation

Cisco has released software updates that address this vulnerability. It is recommended to apply the updates as soon as possible to prevent potential exploitation. Additionally, administrators should restrict access to the JSON-RPC API and ensure that only authorized users have access to the affected applications and devices.

Conclusion

CVE-2024-20381 is a critical vulnerability in the JSON-RPC API feature used by Cisco Crosswork Network Services Orchestrator (NSO) and ConfD. If exploited, it could allow an attacker to modify the configuration of affected applications and devices. Therefore, it is important to apply the necessary software updates and take adequate security measures to prevent potential exploitation.

Timeline

Published on: 09/11/2024 17:15:12 UTC
Last modified on: 09/25/2024 17:15:15 UTC