CVE-2024-20350
📋 TL;DR
This vulnerability allows an unauthenticated remote attacker to impersonate a Cisco Catalyst Center appliance due to a static SSH host key. Attackers can perform man-in-the-middle attacks to intercept SSH traffic, inject commands, and steal credentials. All organizations using vulnerable versions of Cisco Catalyst Center (formerly Cisco DNA Center) are affected.
💻 Affected Systems
- Cisco Catalyst Center
- Cisco DNA Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Catalyst Center appliance allowing attackers to intercept all SSH traffic, inject malicious commands, steal administrative credentials, and potentially pivot to other network devices.
Likely Case
Attackers intercept SSH sessions to steal credentials and inject commands, leading to unauthorized access to the network management system.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential credential theft from intercepted sessions.
🎯 Exploit Status
Exploitation requires man-in-the-middle positioning but no authentication. Attack tools for SSH MITM are widely available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.7.6 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ssh-e4uOdASj
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Catalyst Center 2.3.7.6 or later from Cisco Software Center. 3. Follow upgrade procedures in Cisco documentation. 4. Verify SSH host key has been regenerated.
🔧 Temporary Workarounds
Restrict SSH Access
allLimit SSH access to trusted management networks only using firewall rules
Use SSH Key Verification
allConfigure SSH clients to verify host keys and reject unknown keys
ssh -o StrictHostKeyChecking=yes user@catalyst-center
🧯 If You Can't Patch
- Isolate Catalyst Center appliance to dedicated management VLAN with strict access controls
- Implement network monitoring for SSH MITM attacks and review SSH connection logs regularly
🔍 How to Verify
Check if Vulnerable:
Check Catalyst Center version via web UI (System > About) or CLI. Versions below 2.3.7.6 are vulnerable.Check Version:
From Catalyst Center CLI: show version | include VersionVerify Fix Applied:
After upgrade to 2.3.7.6+, verify SSH host key has changed by checking SSH fingerprint from a client connection.📡 Detection & Monitoring
Log Indicators:
- Multiple SSH connection failures
- SSH host key mismatch warnings in client logs
- Unusual SSH connections from unexpected sources
Network Indicators:
- SSH traffic interception patterns
- Unexpected SSH connections to Catalyst Center
SIEM Query:
source="catalyst-center" AND (event="ssh_failure" OR event="authentication_failure")