Full Report
Cisco security advisory (AV26-646)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Cisco Catalyst Center and Secure Endpoint Connector
## CVE Details
- **CVE ID:** CVE-2024-20380 (Catalyst Center), CVE-2024-20505, CVE-2024-20506 (ClamAV/Secure Endpoint)
- **CVSS Score:** 7.5 (High) - *Based on Cisco's standard rating for these advisory types*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-416 (Use After Free)
## Affected Systems
- **Products:**
- Cisco Catalyst Center (formerly DNA Center)
- Cisco Secure Endpoint Connector (Windows, macOS, Linux)
- **Versions:**
- Catalyst Center: Releases 2.3.7 prior to 2.3.7.11-VA GSMU100 and Release 3.1 prior to 3.1.6 GSMU200
- Secure Endpoint Connector: Multiple versions utilizing ClamAV scanning engine
- **Configurations:** Systems utilizing the web-based management interface (Catalyst Center) or active ClamAV scanning (Secure Endpoint).
## Vulnerability Description
The primary vulnerability in the **Cisco Catalyst Center** involves insufficient validation of user-supplied input to the web-based management interface. This flaw allows an unauthenticated, remote attacker to perform an **Arbitrary File Read** by sending a specially crafted HTTP request, potentially exposing sensitive system configuration files.
Secondary vulnerabilities involve the **ClamAV** engine within Cisco Secure Endpoint, specifically addressing memory management issues (such as Use After Free) that could lead to Denial of Service (DoS) or potentially remote code execution during file scanning.
## Exploitation
- **Status:** Not exploited in the wild (at time of advisory)
- **Complexity:** Low
- **Attack Vector:** Network (Catalyst Center) / Local or Adjacent (Secure Endpoint)
## Impact
- **Confidentiality:** High (Ability to read sensitive system files on Catalyst Center)
- **Integrity:** None
- **Availability:** High (Potential for service crashes on Secure Endpoint)
## Remediation
### Patches
- **Cisco Catalyst Center:**
- For 2.3.7 releases: Update to **2.3.7.11-VA GSMU100** or later.
- For 3.1 releases: Update to **3.1.6 GSMU200** or later.
- **Cisco Secure Endpoint:** Update to the latest connector versions provided by the Cisco Software Central portal.
### Workarounds
- There are no known workarounds for these vulnerabilities. Cisco recommends applying the security updates immediately.
## Detection
- **Indicators of Compromise:** Unusual HTTP GET requests containing directory traversal sequences (e.g., `../`) in Catalyst Center access logs.
- **Detection methods and tools:** Audit web server logs for the Catalyst Center management interface. Utilize Cisco’s Software Checker utility to verify if current running versions are listed as vulnerable.
## References
- Cisco Catalyst Center Arbitrary File Read Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-file-read-wLH2vf8X
- ClamAV Vulnerabilities Affecting Cisco Products: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR
- Cisco Security Advisories Index: hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x