Critical Arbitrary Command Execution vulnerability in Cisco Nexus Dashboard Fabric Controller (CVE-2024-20432)

Imechapishwa: Oct 07, 2024 14:49

Advisory No: TZCERT-SA-24-0030

Source: Cisco

Software Affected: Cisco Nexus Dashboard Fabric Controller

Overview

Cisco Nexus Dashboard Fabric Controller is affected by a critical vulnerability. The vulnerability could allow a remote attacker to perform a command injection against the affected device.

Description

Cisco Nexus Dashboard Fabric Controller is affected by a critical vulnerability tracked as CVE-2024-20432 with a base score of 9.9. The vulnerability is due to improper user authorization and insufficient validation of command arguments. The vulnerabilities allow the attacker to submit crafted commands to an affected REST API endpoint or through the web UI. Upon successful submission, the attacker could execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network admin privileges.

Impact

Successful exploitation of this vulnerability may allow the attacker to take control of the affected system.

Solution

Cisco has released a patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio