CVE-2024-20421 – An unauthenticated remote attacker can perform ... (How to Fix)

Q: What is the severity of CVE-2024-20421?

CVE-2024-20421 has a CVSS score of 7.1 (HIGH). An unauthenticated remote attacker can perform CSRF attacks against Cisco ATA 190 Series Analog Telephone Adapter web management interfaces. This allows arbitrary actions with the privileges of a logged-in user who clicks a malicious link. Organizations using affected Cisco ATA 190 devices are vulnerable.

📋 TL;DR

An unauthenticated remote attacker can perform CSRF attacks against Cisco ATA 190 Series Analog Telephone Adapter web management interfaces. This allows arbitrary actions with the privileges of a logged-in user who clicks a malicious link. Organizations using affected Cisco ATA 190 devices are vulnerable.

💻 Affected Systems

Products:

Cisco ATA 190 Series Analog Telephone Adapter

Versions: All versions prior to 12.0(1)SR1

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with web-based management interface enabled and accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover: attacker could reconfigure device settings, disable services, change passwords, or disrupt telephony services.

🟠

Likely Case

Unauthorized configuration changes leading to service disruption or security policy bypass.

🟢

If Mitigated

Limited impact if devices are on isolated networks with strict access controls and user awareness training.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to get user to click malicious link while authenticated to device management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.0(1)SR1 and later

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy

Restart Required: Yes

Instructions:

1. Download firmware 12.0(1)SR1 or later from Cisco. 2. Log into device web interface. 3. Navigate to Administration > Software Upgrade. 4. Upload and install new firmware. 5. Reboot device.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to device management interfaces to trusted networks only.

Use HTTPS Only

all

Configure device to use HTTPS exclusively for management interface.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach device management interfaces.
Educate users about CSRF risks and implement browser security extensions that block CSRF attempts.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System Information > Software Version. If version is earlier than 12.0(1)SR1, device is vulnerable.

Check Version:

No CLI command; check via web interface System Information page.

Verify Fix Applied:

After patching, verify firmware version shows 12.0(1)SR1 or later in System Information.

📡 Detection & Monitoring

Log Indicators:

Multiple configuration changes from unexpected IP addresses
Authentication failures followed by configuration changes

Network Indicators:

HTTP POST requests to device management interface from unexpected sources
Cross-origin requests to device management endpoints

SIEM Query:

source_ip NOT IN (trusted_admin_ips) AND destination_port=80 AND http_method=POST AND uri CONTAINS "/cgi-bin/"

📊 Metadata

CVE ID: CVE-2024-20421

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

CWE: CWE-352

Published: October 16, 2024

Last Updated: October 31, 2024

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-20421, you might also want to check these: