Cisco Duo Device Health App Flaw Allows Directory Traversal Attacks
The CryptoService feature within the Cisco Duo Tool Wisely being Software for Home windows has a vulnerability tracked as (CVE-2023-20229).
This will well possibly furthermore enable a low-privileged attacker to avoid losing out directory traversal attacks and overwrite arbitrary recordsdata on a inclined instrument.
Directory traversal, also identified as Path traversal, is a trend of HTTP attack that lets in attackers to score admission to restricted directories and dart commands outside of the win server’s root directory.
An attacker correct requires a web-based browser and a few knowledge of where to appear for any default recordsdata and directories on the system to conduct a directory traversal attack.
Cisco has issued tool upgrades to take care of this vulnerability. There are not any workarounds for this grief.
Small print of the Vulnerability
The vulnerability tagged as (CVE-2023-20229) with a CVSS receive of seven.1 with high severity vary is introduced on attributable to insufficient input validation.
“An attacker would possibly well possibly furthermore exploit this vulnerability by executing a directory traversal attack on an affected host,” Cisco stated in its security advisory.
Upon a hit exploitation, an attacker can be ready to overwrite arbitrary recordsdata with SYSTEM-level privileges the spend of a cryptographic key, causing a DoS grief or knowledge loss on the impacted system.
Affected Products
The Cisco Duo Tool Wisely being Software for Home windows is impacted. Cisco also confirms that this vulnerability does not affect Cisco Duo Tool Wisely being Software for macOS.
Fixes Readily accessible
Cisco has issued free tool upgrades readily accessible to fix the problem.
Potentialities are encouraged to upgrade to an acceptable fastened tool release as soon as seemingly to live exact.
Gain told referring to the newest Cyber Safety Files by following us on GoogleNews, Linkedin, Twitter, and Facebook.
Source credit : cybersecuritynews.com