Cisco Vulnerability Alert: How to Tackle this Web-Based Management Interface Vulnerability
A vulnerability in the JSON-RPC API of ConfD, utilized by the web-based management interfaces of Cisco Crosswork Network Services Orchestrator (NSO), Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers, could enable an authenticated, remote attacker to alter the configuration of affected applications or devices.
This issue arises from insufficient authorization checks on the API. An attacker with sufficient access privileges could exploit this flaw by sending malicious requests to the JSON-RPC API. Successful exploitation could allow unauthorized changes to the configuration, such as creating new user accounts or elevating privileges on the affected system.
Cisco has issued software updates to resolve this vulnerability. There are no available workarounds.
For more details, refer to the advisory here:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp.
Impacted Products
The following Cisco products are affected by this vulnerability, regardless of device configuration:
- Crosswork NSO
- Optical Site Manager
- RV340 Dual WAN Gigabit VPN Routers
ConfD is also vulnerable if the JSON-RPC API feature is enabled.
For information on vulnerable Cisco and ConfD software releases, please consult the Fixed Software section of this advisory.
Verify ConfD Configuration
The JSON-RPC API feature is enabled in ConfD if the `webui` option is activated in the `confd.conf` configuration file. An example configuration is shown below:
.
.
.
true
true
0.0.0.0
8008
true
0.0.0.0
8888
.
.
.
.
.
.
To process JSON-RPC requests, ConfD applications must have the Web UI feature enabled and be set up with a valid transport (either TCP or SSL) and port.
Note: The XML tag used is `webui`, despite ConfD not offering its own web UI. The example provided, taken from `examples.confd/json_rpc/webui/README`, demonstrates a `webui` configuration that activates the JSON-RPC API on ports 8008 and 8888.
Products Not Affected
This vulnerability affects only the products listed in the Vulnerable Products section of this advisory.
Cisco has verified that the following products are not impacted by this vulnerability:
- Catalyst SD-WAN Controller (previously SD-WAN vSmart)
- Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- Catalyst SD-WAN Validator (formerly SD-WAN vBond Orchestrator)
- Identity Services Engine (ISE)
- IOS XE SD-WAN Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
Workarounds
There are no available workarounds for this vulnerability.
Fixed Software
Cisco has issued free software updates to address the vulnerability described in this advisory. Customers with service contracts that cover regular updates should obtain these fixes through their usual update channels.
Tail-f, a Cisco company, has also released updates to address this issue. Customers can only install and receive support for software versions and features that are covered by their current license and support agreement with Tail-f Systems AB. By applying these updates, customers agree to the terms of their license agreement. Note that security updates do not include new software licenses or additional features.
Customers with valid licenses and support agreements can download the updated software from their existing Tail-f delivery server account.
Software updates are available only for versions and features covered by purchased licenses. By using these updates, customers agree to the Cisco software license terms: [Cisco End User License Agreement] (https://www.cisco.com/c/en/us/products/end-user-license-agreement.html).
Software can be downloaded only for licenses acquired directly from Cisco or through authorized resellers or partners. Typically, these updates are maintenance upgrades for previously purchased software. Free security updates do not provide new licenses, additional features, or major version upgrades.
For licensing and download information, visit the Cisco Support and Downloads page on Cisco.com. This page also displays device support coverage using the My Devices tool.
When planning upgrades, customers should consult Cisco Security Advisories for detailed upgrade solutions and exposure information.
Ensure that devices have adequate memory and verify that current hardware and software configurations will be supported by the new release. For any uncertainties, customers should contact the Cisco Technical Assistance Center (TAC) or their maintenance providers.
Customers Without Service Contracts
For customers who purchase directly from Cisco but lack a service contract, or those buying through third-party vendors who cannot obtain the fixed software at their point of sale, upgrades can be requested by contacting Cisco TAC: [Cisco TAC Contact] (https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html).
Customers should have their product serial number ready and be prepared to provide the URL of this advisory as proof of entitlement for a free upgrade.
Fixed Releases
To find information on fixed releases for this vulnerability, see the sections below.
ConfD
The table provided lists various ConfD software releases. The left column specifies the ConfD versions, the center column shows which releases are affected by the vulnerability described in this advisory, and the right column indicates whether a release is impacted and the earliest release with a fix. Customers should upgrade to the recommended fixed software release as detailed in this section.
| ConfD Release | Affected Releases | First Fixed Release |
| 7.5 | 7.5 through 7.5.10.1 | 7.5.10.2 |
| 7.7 | 7.7 through 7.7.15 | 7.7.16 |
| 8.0 | 8.0 through 8.0.12 | 8.0.13 |
Customers are encouraged to upgrade to the recommended fixed software release as outlined in the tables below:
Crossword NSO:
| Cisco Crosswork NSO Release | First Fixed Release |
| 5.5 | 5.5.10.1 |
| 5.6 | 5.6.14.3 |
| 5.7 | 5.7.16 |
| 5.8 | 5.8.13.1 |
| 6.0 | 6.0.13 |
| 6.1 | 6.1.8.1 6.1.9 |
| 6.2 | 6.2.3 |
| 6.3 | Not affected. |
Optical Site Manager:
| Cisco Optical Site Manager Release | First Fixed Release |
| Earlier than 24.3 | Migrate to a fixed release. |
| 24.3 | 24.3.1 |
The Cisco Product Security Incident Response Team (PSIRT) only confirms the affected and fixed release information provided in this advisory.
RV340 Dual WAN Gigabit VPN Routers
Cisco will not issue software updates to address the vulnerability described in this advisory for the RV340 Dual WAN Gigabit VPN Routers, as these devices are now in the end-of-life process. Customers should consult the end-of-life notice for these products.
Public Disclosure and Exploitation
Cisco PSIRT has not observed any public announcements or malicious activity related to the vulnerability described in this advisory.
Source
The vulnerability was detected through internal security testing.
For latest information and cybersecurity related news updates, stay tuned and keep following InfosecTrain.
Shreya
Contact Us
1800-843-7890 (India) 
