Backdoor secrecy
The hardcoded password flaw, recognized as CVE-2024-20439, could possibly be exploited to attain administrator privileges through the app’s API. The second flaw, CVE-2024-20440, may enable an attacker to acquire log recordsdata containing delicate knowledge resembling API credentials.
With each given an similar CVSS rating of 9.8, it’s a toss-up as to which is the worst of the 2. Nonetheless, the vulnerabilities may clearly be used collectively in ways in which amplify their hazard, making patching much more crucial. The affected variations of CSLU are 2.0.0, 2.1.0, and a couple of.2.0; model 2.3.0 is the patched model.
CSLU is a current product, so one might need anticipated it to be higher secured. That mentioned, Cisco has a historical past of this kind of flaw, with hardcoded credentials being found in Cisco Firepower Threat Defense, Emergency Responder, and additional again in Digital Network Architecture (DNA) Heart, to call solely among the affected merchandise.
As Ullrich of the SANS wrote fairly sarcastically within the group’s new warning: “The primary one [CVE-2024-20439] is without doubt one of the many backdoors Cisco likes to equip its merchandise with.”
