Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4111
Cisco IoT Field Network Director Vulnerabilities
19 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IoT Field Network Director
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26081 CVE-2020-26080 CVE-2020-26079
CVE-2020-26078 CVE-2020-26077 CVE-2020-26076
CVE-2020-26072 CVE-2020-3531 CVE-2020-3392
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-XSS-NzOPCGEc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-OVW-SHzOE3Pd
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-LV-hE4Rntet
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SSI-V2myWX9y
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-PWH-yCA6M7p
Comment: This bulletin contains nine (9) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities
Priority: Medium
Advisory ID: cisco-sa-FND-XSS-NzOPCGEc
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt44927 CSCvt44941 CSCvt45000 CSCvt45160
CVE Names: CVE-2020-26081
CWEs: CWE-74
CVSS Score:
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director
(FND) could allow an unauthenticated, remote attacker to conduct cross-site
scripting (XSS) attacks against users on an affected system.
The vulnerabilities are due to insufficient validation of user-supplied
input that is processed by the web UI. An attacker could exploit these
vulnerabilities by persuading a user to click a crafted link. A successful
exploit could allow the attacker to execute arbitrary script code in the
context of the interface or access sensitive, browser-based information on
an affected system.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-XSS-NzOPCGEc
Affected Products
o Vulnerable Products
At the time of publication, these vulnerabilities affected Cisco IoT FND
releases earlier than Release 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-XSS-NzOPCGEc
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director File Overwrite Vulnerability
Priority: Medium
Advisory ID: cisco-sa-FND-OVW-SHzOE3Pd
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45266
CVE Names: CVE-2020-26078
CWEs: CWE-73
CVSS Score:
4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the file system of Cisco IoT Field Network Director
(FND) could allow an authenticated, remote attacker to overwrite files on
an affected system.
The vulnerability is due to insufficient file system protections. An
attacker could exploit this vulnerability by crafting API requests and
sending them to an affected system. A successful exploit could allow the
attacker to overwrite files on an affected system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-OVW-SHzOE3Pd
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco IoT FND
releases earlier than 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Ben Taylor of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-OVW-SHzOE3Pd
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Improper Access Control Vulnerability
Priority: Medium
Advisory ID: cisco-sa-FND-LV-hE4Rntet
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45262
CVE Names: CVE-2020-26077
CWEs: CWE-284
CVSS Score:
5.0 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the access control functionality of Cisco IoT Field
Network Director (FND) could allow an authenticated, remote attacker to
view lists of users from different domains that are configured on an
affected system.
The vulnerability is due to improper access control. An attacker could
exploit this vulnerability by sending an API request that alters the domain
for a requested user list on an affected system. A successful exploit could
allow the attacker to view lists of users from different domains on the
affected system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-LV-hE4Rntet
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco IoT FND
releases earlier than Release 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Billy Pierce of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-LV-hE4Rntet
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Improper Domain Access Control Vulnerability
Priority: Medium
Advisory ID: cisco-sa-FND-UPWD-dCRPuQ78
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45294
CVE Names: CVE-2020-26080
CWEs: CWE-284
CVSS Score:
4.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the user management functionality of Cisco IoT Field
Network Director (FND) could allow an authenticated, remote attacker to
manage user information for users in different domains on an affected
system.
The vulnerability is due to improper domain access control. An attacker
could exploit this vulnerability by manipulating JSON payloads to target
different domains on an affected system. A successful exploit could allow
the attacker to manage user information for users in different domains on
an affected system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-UPWD-dCRPuQ78
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco IoT FND
releases earlier than Release 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Billy Pierce of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-UPWD-dCRPuQ78
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Information Disclosure Vulnerability
Priority: Medium
Advisory ID: cisco-sa-FND-SSI-V2myWX9y
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45222
CVE Names: CVE-2020-26076
CWEs: CWE-497
CVSS Score:
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in Cisco IoT Field Network Director (FND) could allow an
unauthenticated, remote attacker to view sensitive database information on
an affected device.
The vulnerability is due to the absence of authentication for sensitive
information. An attacker could exploit this vulnerability by sending
crafted curl commands to an affected device. A successful exploit could
allow the attacker to view sensitive database information on the affected
device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-SSI-V2myWX9y
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco IoT FND
releases earlier than Release 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Billy Pierce of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-SSI-V2myWX9y
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Missing API Authentication Vulnerability
Priority: High
Advisory ID: cisco-sa-FND-APIA-xZntFS2V
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45296
CVE Names: CVE-2020-3392
CWEs: CWE-306
CVSS Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the API of Cisco IoT Field Network Director (FND) could
allow an unauthenticated, remote attacker to view sensitive information on
an affected system.
The vulnerability exists because the affected software does not properly
authenticate API calls. An attacker could exploit this vulnerability by
sending API requests to an affected system. A successful exploit could
allow the attacker to view sensitive information on the affected system,
including information about the devices that the system manages, without
authentication.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-APIA-xZntFS2V
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IoT FND releases earlier than Release
4.6.1.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco IoT FND releases 4.6.1 and later.
To download the software from the Software Center on Cisco.com, click
Browse all and choose Cloud and Systems Management > IoT Management and
Automation > IoT Field Network Director .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-APIA-xZntFS2V
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability
Priority: High
Advisory ID: cisco-sa-FND-AUTH-vEypBmmR
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45167
CVE Names: CVE-2020-26072
CWEs: CWE-284
CVSS Score:
8.7 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND)
could allow an authenticated, remote attacker to access and modify
information on devices that belong to a different domain.
The vulnerability is due to insufficient authorization in the SOAP API. An
attacker could exploit this vulnerability by sending SOAP API requests to
affected devices for devices that are outside their authorized domain. A
successful exploit could allow the attacker to access and modify
information on devices that belong to a different domain.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-AUTH-vEypBmmR
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IoT FND releases earlier than Release
4.6.1.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco IoT FND releases 4.6.1 and later.
To download the software from the Software Center on Cisco.com, click
Browse All and choose Cloud and Systems Management > IoT Management and
Automation > IoT Field Network Director .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-AUTH-vEypBmmR
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Unauthenticated REST API Vulnerability
Priority: Critical
Advisory ID: cisco-sa-FND-BCK-GHkPNZ5F
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45219 CSCvt45228
CVE Names: CVE-2020-3531
CWEs: CWE-306
CVSS Score:
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the REST API of Cisco IoT Field Network Director (FND)
could allow an unauthenticated, remote attacker to access the back-end
database of an affected system.
The vulnerability exists because the affected software does not properly
authenticate REST API calls. An attacker could exploit this vulnerability
by obtaining a cross-site request forgery (CSRF) token and then using the
token with REST API requests. A successful exploit could allow the attacker
to access the back-end database of the affected device and read, alter, or
drop information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-BCK-GHkPNZ5F
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IoT FND releases earlier than Release
4.6.1.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco IoT FND releases 4.6.1 and later.
To download the software from the Software Center on Cisco.com, click
Browse all and choose Cloud and Systems Management > IoT Management and
Automation > IoT Field Network Director .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-BCK-GHkPNZ5F
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IoT Field Network Director Unprotected Storage of Credentials
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-FND-PWH-yCA6M7p
First Published: 2020 November 18 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvt45257
CVE Names: CVE-2020-26079
CWEs: CWE-256
CVSS Score:
4.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the web UI of Cisco IoT Field Network Director (FND)
could allow an authenticated, remote attacker to obtain hashes of user
passwords on an affected device.
The vulnerability is due to insufficient protection of user credentials. An
attacker could exploit this vulnerability by logging in as an
administrative user and crafting a call for user information. A successful
exploit could allow the attacker to obtain hashes of user passwords on an
affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-PWH-yCA6M7p
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco IoT FND
releases earlier than Release 4.6.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco IoT FND releases 4.6.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Billy Pierce of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-FND-PWH-yCA6M7p
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-18 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7X6KONLKJtyKPYoAQgNYg/6A9Srp55LKK4ApvQ0HVsr0fcH8/Ro/nMo
A7jUNf7bZOCYPWe8lbsy9G44bYT9dEdtj1utYf8sP9oTamTKBAtkNoVVqBQfMrT6
gXZZZzmNZbVfFEN1i0cGeOY4VhHItsNwGhK1SGpyWhwg3cxj13YyN/8jKiUuUEjZ
3/l8Xo4fTnqRHzof8dhTg+4qhIev0ZG1KhafS2jeLCJLTjJvlDlCUdo4fXhFI5VA
4nlNHwUmr7ORgFx9u2b8ZH1kzeGVFZgiSRepPQoz62OW9D00gkUJG4UcJJES5PTi
NFtPZn79bt8Ab0sY4D3FiMx+DWXGYRsIRq79AT7R/7QQ3h0Ge83VYhtT66DLyPXg
ivHNW/mVsnL4DNN2qWnwopj36fpKVSt8lVbvSAtFOGDPeIEAgvMGGYws+BfOaL0j
CNmzUn/xJdet4f9NywTKFpMpLJZ8L+88dLtE6qsiinwmUq68kFrjg2H+3kVcLvfu
t8ey2uYZx2O/wAeDj6S9TArDeDcmBDDVsLoaYNMBlUBXCdruBBbhPvFuswWpS54q
j6AkinR/1VmJndohF3vV2NaGPSjvBuWcoUa6mcSAbqtFHI4F/ltIdow3XJBWpmQ8
yP5eBwjJMgC2UkImAfn8Ew8ARIxiRUC4/KFzFC8Q3I/jZXHpV4t25B3zCg92AHOT
29snCnFaUhc=
=pYBb
-----END PGP SIGNATURE-----