CVE-2024-20430 – This vulnerability allows authenticated local a... (How to Fix)

Q: What is the severity of CVE-2024-20430?

CVE-2024-20430 has a CVSS score of 7.3 (HIGH). This vulnerability allows authenticated local attackers to execute arbitrary code with SYSTEM privileges on Windows systems running vulnerable Cisco Meraki Systems Manager Agent. Attackers can exploit incorrect directory search path handling by placing malicious DLL and configuration files that get executed on startup. Organizations using Cisco Meraki SM Agent for Windows are affected.

📋 TL;DR

This vulnerability allows authenticated local attackers to execute arbitrary code with SYSTEM privileges on Windows systems running vulnerable Cisco Meraki Systems Manager Agent. Attackers can exploit incorrect directory search path handling by placing malicious DLL and configuration files that get executed on startup. Organizations using Cisco Meraki SM Agent for Windows are affected.

💻 Affected Systems

Products:

Cisco Meraki Systems Manager Agent for Windows

Versions: All versions prior to the fixed release

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows OS with Cisco Meraki SM Agent installed. Attackers need local authenticated access to place malicious files.

📦 What is this software?

Meraki Systems Manager by Cisco

View all CVEs affecting Meraki Systems Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling persistent backdoors, credential theft, lateral movement, and data exfiltration.

🟠

Likely Case

Local privilege escalation leading to administrative control over affected endpoints, potentially enabling ransomware deployment or data theft.

🟢

If Mitigated

Limited impact with proper endpoint security controls, application allowlisting, and restricted local access preventing file placement.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers or compromised accounts can exploit this for privilege escalation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated local access and ability to place files in specific directories. DLL hijacking technique is well-understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-agent-dll-hj-Ptn7PtKe

Restart Required: Yes

Instructions:

1. Review Cisco advisory for fixed version. 2. Update Cisco Meraki SM Agent to latest version. 3. Restart affected systems. 4. Verify update through Meraki dashboard.

🔧 Temporary Workarounds

Restrict local file write permissions

windows

Prevent low-privileged users from writing files to directories used by Meraki SM Agent

Use Windows ACLs to restrict write access to Meraki installation directories

Enable application control/allowlisting

windows

Prevent execution of unauthorized DLLs through Windows Defender Application Control or similar

Configure Windows Defender Application Control policies to block unsigned DLLs

🧯 If You Can't Patch

Implement strict endpoint security controls to detect and block DLL hijacking attempts
Restrict local administrative access and monitor for suspicious file creation in Meraki directories

🔍 How to Verify

Check if Vulnerable:

Check Meraki SM Agent version in Windows Programs & Features or via Meraki dashboard. Compare against advisory.

Check Version:

Check Meraki dashboard or Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\Meraki\SM-Agent

Verify Fix Applied:

Confirm updated version is installed and monitor for successful agent operation post-update.

📡 Detection & Monitoring

Log Indicators:

Unexpected DLL loads from Meraki directories
File creation events in Meraki installation paths by non-admin users

Network Indicators:

Unusual outbound connections from Meraki agent post-startup

SIEM Query:

Process creation where parent process contains 'meraki' AND image loaded contains suspicious DLL name

📊 Metadata

CVE ID: CVE-2024-20430

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: September 12, 2024

Last Updated: September 18, 2024

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-agent-dll-hj-Ptn7PtKe Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-20430, you might also want to check these: