Backdoor secrecy
The hardcoded password flaw, identified as CVE-2024-20439, could be exploited to achieve administrator privileges via the app’s API. The second flaw, CVE-2024-20440, could allow an attacker to obtain log files containing sensitive data such as API credentials.
With both given an identical CVSS score of 9.8, it’s a toss-up as to which is the worst of the two. However, the vulnerabilities could clearly be used together in ways that amplify their danger, making patching even more imperative. The affected versions of CSLU are 2.0.0, 2.1.0, and 2.2.0; version 2.3.0 is the patched version.
CSLU is a recent product, so one might have expected it to be better secured. That said, Cisco has a history of this type of flaw, with hardcoded credentials being discovered in Cisco Firepower Threat Defense, Emergency Responder, and further back in Digital Network Architecture (DNA) Center, to name only some of the affected products.
As Ullrich of the SANS wrote rather sarcastically in the organization’s new warning: “The first one [CVE-2024-20439] is one of the many backdoors Cisco likes to equip its products with.”