CVE-2024-20323

July 17, 2024, 5:15 p.m.

CVSS Score

7.5 / 10

Product(s) Impacted

Cisco Intelligent Node (iNode) Software

Description

A vulnerability in Cisco Intelligent Node (iNode) Software could allow an unauthenticated, remote attacker to hijack the TLS connection between Cisco iNode Manager and associated intelligent nodes and send arbitrary traffic to an affected device. This vulnerability is due to the presence of hard-coded cryptographic material. An attacker in a man-in-the-middle position between Cisco iNode Manager and associated deployed nodes could exploit this vulnerability by using the static cryptographic key to generate a trusted certificate and impersonate an affected device. A successful exploit could allow the attacker to read data that is meant for a legitimate device, modify the startup configuration of an associated node, and, consequently, cause a denial of service (DoS) condition for downstream devices that are connected to the affected node.

Weaknesses

CWE-321
Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE ID: 321

Date

Published: July 17, 2024, 5:15 p.m.

Last Modified: July 17, 2024, 5:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ykramarz@cisco.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

Base Score
7.5
Exploitability Score
2.2
Impact Score
4.7
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

References