Cisco scores a perfect CVSS 10 with critical flaw in its wireless system
- Reference: 1730980133
- News link: https://www.theregister.co.uk/2024/11/07/cisco_uiws_flaw/
- Source link:
The weakness – dubbed [1]CVE-2024-20418 and made public yesterday – is with the Unified Industrial Wireless Software that the devices use. Crucially, the flaw is serious enough that a remote attacker with no privileges could upgrade themselves to admin-level access and install whatever nasties they like.
"An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," Cisco [2]warned . "A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device."
[3]Emergency patch: Cisco fixes bug under exploit in brute-force attacks
[4]Cisco is abandoning the LoRaWAN space, and there's no lifeboat for IoT customers
[5]Scumbag puts 'stolen' Nokia source code, SSH and RSA keys, more up for sale
[6]Why Cisco reportedly wants in on CoreWeave's rent-a-GPU racket
The following kit is affected and needs immediate patching if URWB is enabled – there are no workarounds:
Catalyst IW9165D Heavy Duty Access Points;
Catalyst IW9165E Rugged Access Points and Wireless Clients;
Catalyst IW9167E Heavy Duty Access Points.
You can check if it is enabled on your own kit by using the show mpls-config CLI command.
The flaw carries a CVSS score of 10.0 because it's both simple and devastatingly effective. It's also dangerous because this kind of kit is designed for industrial uses and it is just the kind of code you'd expect to find in critical infrastructure targets – such as ports or factories.
[7]
You can get your fix [8]here and are advised to apply it immediately. There are not yet any reported sightings of the vulnerability being exploited in the wild. ®
Get our [9]Tech Resources
[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-backhaul-ap-cmdinj-R7E28Ecs
[2] https://www.cisco.com/site/us/en/products/networking/industrial-wireless/ultra-reliable-wireless-backhaul/index.html
[3] https://www.theregister.com/2024/10/24/cisco_bug_brute_force/
[4] https://www.theregister.com/2024/10/02/cisco_exiting_lorawan/
[5] https://www.theregister.com/2024/11/06/nokia_data_theft/
[6] https://www.theregister.com/2024/10/06/cisco_ai_coreweave/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZyzyNiqfLBQIO550D__YXwAAAQU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[8] https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu
[9] https://whitepapers.theregister.com/
Re: Separate networks
Good luck with that. Accounting will have kittens over the Unjustified Extra Expenses. They will veto it... until _after_ the network gets thumped. And maybe even then.
Re: Separate networks
Ask for written confirmation that they have read and understood the proposal and accept the risks on behalf of the business. Signatures in their own blood preferred but not essential.
Re: Separate networks
When I read CVSS descriptions, the phrases, "a carefully-crafted http packet", and "a carefully-crafted https packet" occur so often that I think it would be safer to dump web admin interfaces and go back to TUIs, accessed via telnet over ssh.
The idea here is that simpler source is easier to find bugs in, and being fewer lines of code, less-likely to contain/hide bugs.
Fort Meade Designed......or would that be NIST Designed.....
....revealed ONLY because some diligent third party found out!!
....your taxpayer dollar at work....in Fort Meade, at NIST....and of course at Cisco!!
....more out there to be found.......why can't we just get a whistleblower to blow the whistle?
Separate networks
"An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system,"
And that is why you never ever (*) have any management interfaces accessible on the production network. You create a management network for this purpose that is not accessible from the production network. You still need to patch all the software holes, but it makes network subversion and penetration more difficult.
(*) and that means never ever while the universe exists .