Vulnerability

CERT-In Vulnerability Note CIVN-2020-0412
Multiple Vulnerabilities in Cisco IoT Field Network Director

Original Issue Date:November 20, 2020

Severity Rating: HIGH

Software Affected

Cisco IoT FND releases prior to Release 4.6.1.

Overview

Multiple Vulnerabilities have been reported in Cisco IoT Field Network Director (FND) which could allow the attacker to access, view and modify sensitive information on an affected system.

Description

1. API Authentication Vulnerability ( CVE-2020-3392   )

A vulnerability exists inthe API of Cisco IoT Field Network Director (FND) because the affected software does not properly authenticate API calls that could allow the attacker to view sensitive information on an affected system. An attacker could exploit this vulnerability by sending API requests to an affected system.
Successful exploitation of this vulnerability could allow the attacker to view sensitive information on the affected system, including information about the devices that the system manages, without authentication.

2. SOAP API Authorization Bypass Vulnerability ( CVE-2020-26072   )

A vulnerability exists in the SOAP API of Cisco IoT Field Network Director (FND) due to insufficient authorization in the SOAP API that could allow the attacker to access and modify information on devices that belong to a different domain. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain.
Successful exploitation of this vulnerability could allow the attacker to access and modify information on devices that belong to a different domain.

3. REST API Vulnerability ( CVE-2020-3531   )

A vulnerability exists in the REST API of Cisco IoT Field Network Director (FND) because the affected software does not properly authenticate REST API calls that could allow the attacker to access the back-end database of an affected system. An attacker could exploit this vulnerability by obtaining a cross-site request forgery (CSRF) token and then using the token with REST API requests.
Successful exploitation of this vulnerability could allow the attacker to access the back-end database of the affected device and read, alter, or drop information.

Solution

Apply appropriate updates as mentioned in:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F

Vendor Information

CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F

References

CVE Name
CVE-2020-3392
CVE-2020-26072
CVE-2020-3531

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India