Cisco Catalyst SD-WAN Manager, Credential Disclosure, CVE-2024-20355 (High)

Listen to this Post

The vulnerability exists in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. An unauthenticated remote attacker can exploit this flaw by first sending a crafted HTTP request to a vulnerable system. This request triggers the exposure of a credential file that contains the DCA user password in plaintext. The file is stored on the affected system due to improper access controls. The attacker reads the file via the same HTTP channel without any authentication. Once the DCA password is obtained, the attacker can use it to authenticate as the DCA user on another affected system. The DCA user has elevated privileges, allowing the attacker to execute operations with those rights. The root cause is the presence of the credential file on the system and lack of proper restriction on its access. The attack vector is remote over HTTP, but requires the ability to send crafted requests. No user interaction is needed. The vulnerability affects releases prior to 20.12 and up to 20.15.x. Cisco confirmed that releases 20.18 and later are not affected. The CVSS 3.1 vector is AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, giving a base score of 7.5 (High). The high complexity and high privileges required reduce the severity, but scope change and full confidentiality/availability impact raise it. Successful exploitation completely compromises the DCA user account and can lead to lateral movement.

dailycve form:

Platform: Cisco SD-WAN
Version: before 20.18
Vulnerability: DCA credential exposure
Severity: High (7.5)
Date: 2024-03-13

Prediction: April 2024

What Undercode Say:

Check if DCA credential file is accessible
curl -k -X GET https://<target_ip>/dca/credentials
Extract password from response (example)
grep -oP '"dca_password":"\K[^"]' response.txt
Use obtained password to authenticate to another DCA endpoint
curl -k -u dca:<password> https://<other_ip>/dca/api/stats

Exploit:

Send HTTP GET to `/dca/credentials` – read plaintext password – replay password to DCA login endpoint – gain unauthenticated remote access as DCA user – pivot to other systems.

Protection from this CVE:

Upgrade to Cisco Catalyst SD-WAN Manager release 20.18 or later. Apply access control lists (ACLs) to restrict HTTP access to DCA endpoints. Remove or rotate the default DCA credential file manually if upgrade not possible.

Impact:

Full compromise of DCA user privileges across multiple systems. Attackers can read configuration data, modify SD-WAN policies, disrupt network routing, and use DCA account for persistent lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top