Backdoor secrecy
The hardcoded password flaw, recognized as CVE-2024-20439, may very well be exploited to realize administrator privileges by way of the app’s API. The second flaw, CVE-2024-20440, might enable an attacker to acquire log recordsdata containing delicate knowledge corresponding to API credentials.
With each given an an identical CVSS rating of 9.8, it’s a toss-up as to which is the worst of the 2. Nonetheless, the vulnerabilities might clearly be used collectively in ways in which amplify their hazard, making patching much more crucial. The affected variations of CSLU are 2.0.0, 2.1.0, and a pair of.2.0; model 2.3.0 is the patched model.
CSLU is a current product, so one might need anticipated it to be higher secured. That stated, Cisco has a historical past of one of these flaw, with hardcoded credentials being found in Cisco Firepower Menace Protection, Emergency Responder, and additional again in Digital Community Structure (DNA) Heart, to call solely among the affected merchandise.
As Ullrich of the SANS wrote reasonably sarcastically within the group’s new warning: “The primary one [CVE-2024-20439] is likely one of the many backdoors Cisco likes to equip its merchandise with.”
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Japanese
Korean
Latin
Portuguese
Russian
Spanish