CVE-2024-20348
📋 TL;DR
This vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows unauthenticated remote attackers to read arbitrary files via the Out-of-Band Plug and Play provisioning web server. It affects NDFC deployments with the OOB PnP feature enabled, potentially exposing sensitive data that could lead to further attacks on the PnP infrastructure.
💻 Affected Systems
- Cisco Nexus Dashboard Fabric Controller (NDFC)
📦 What is this software?
Nexus Dashboard Fabric Controller by Cisco
⚠️ Risk & Real-World Impact
Worst Case
An attacker could read sensitive files like configuration data or credentials, enabling lateral movement, privilege escalation, or complete compromise of the PnP infrastructure and connected devices.
Likely Case
Attackers read arbitrary files from the PnP container, such as configuration files, which could be used to gather intelligence for targeted attacks or disrupt network provisioning.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated PnP container data, preventing broader system compromise.
🎯 Exploit Status
Exploitation involves direct web requests to the provisioning server, making it straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-dir-trav-SSn3AYDw
Restart Required: Yes
Instructions:
1. Review the Cisco advisory for applicable fixed versions. 2. Backup NDFC configuration. 3. Apply the patch or upgrade to a fixed version via the NDFC management interface. 4. Restart the NDFC services as required.
🔧 Temporary Workarounds
Disable Out-of-Band Plug and Play Feature
allDisables the vulnerable provisioning web server to prevent exploitation.
Access NDFC web interface, navigate to Plug and Play settings, and disable Out-of-Band PnP feature.
🧯 If You Can't Patch
- Restrict network access to the NDFC provisioning server using firewalls or ACLs to only trusted IP addresses.
- Monitor logs for unauthorized access attempts to the provisioning web server and investigate anomalies.
🔍 How to Verify
Check if Vulnerable:
Check if the Out-of-Band PnP feature is enabled in NDFC settings and verify the version against the Cisco advisory.Check Version:
Log into NDFC web interface and check the version in the system information or use CLI commands specific to NDFC deployment.Verify Fix Applied:
After patching, confirm the NDFC version is updated to a fixed release and test that file read attempts via the provisioning server are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated HTTP requests to the provisioning server (e.g., /pnp/ paths), especially file read attempts like GET requests for sensitive files.
Network Indicators:
- Unusual traffic to NDFC provisioning server ports (default HTTP/HTTPS) from untrusted sources.
SIEM Query:
Example: source_ip NOT IN trusted_ips AND dest_port IN (80,443) AND uri_path CONTAINS '/pnp/' AND http_method = 'GET'