CERT-In Vulnerability Note
CIVN-2020-0412
Multiple Vulnerabilities in Cisco IoT Field Network Director
Original Issue Date:November 20, 2020
Severity Rating: HIGH
Software Affected
- Cisco IoT FND releases prior to Release 4.6.1.
Overview
Multiple Vulnerabilities have been reported in Cisco IoT Field Network Director (FND) which could allow the attacker to access, view and modify sensitive information on an affected system.
Description
1. API Authentication Vulnerability
(
CVE-2020-3392
)
A vulnerability exists inthe API of Cisco IoT Field Network Director (FND) because the affected software does not properly authenticate API calls that could allow the attacker to view sensitive information on an affected system. An attacker could exploit this vulnerability by sending API requests to an affected system. Successful exploitation of this vulnerability could allow the attacker to view sensitive information on the affected system, including information about the devices that the system manages, without authentication.
2. SOAP API Authorization Bypass Vulnerability
(
CVE-2020-26072
)
A vulnerability exists in the SOAP API of Cisco IoT Field Network Director (FND) due to insufficient authorization in the SOAP API that could allow the attacker to access and modify information on devices that belong to a different domain. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. Successful exploitation of this vulnerability could allow the attacker to access and modify information on devices that belong to a different domain.
3. REST API Vulnerability
(
CVE-2020-3531
)
A vulnerability exists in the REST API of Cisco IoT Field Network Director (FND) because the affected software does not properly authenticate REST API calls that could allow the attacker to access the back-end database of an affected system. An attacker could exploit this vulnerability by obtaining a cross-site request forgery (CSRF) token and then using the token with REST API requests. Successful exploitation of this vulnerability could allow the attacker to access the back-end database of the affected device and read, alter, or drop information.
Solution
Apply appropriate updates as mentioned in:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
Vendor Information
CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
References
CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
CVE Name
CVE-2020-3392
CVE-2020-26072
CVE-2020-3531
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|