CVE-2024-20348 Overview
CVE-2024-20348 is a path traversal vulnerability in the Out-of-Band (OOB) Plug and Play (PnP) feature of Cisco Nexus Dashboard Fabric Controller (NDFC). The flaw allows an unauthenticated, remote attacker to read arbitrary files from the PnP container by sending crafted web requests to the provisioning server. The root cause is an unauthenticated provisioning web server exposed by the PnP feature. Successful exploitation discloses sensitive files that can support follow-on attacks against the PnP infrastructure. The vulnerability is tracked under [CWE-22] Path Traversal and [CWE-27] Path Traversal: 'dir/../../filename'.
Critical Impact
Unauthenticated remote attackers can read sensitive files from the PnP container, exposing configuration data and credentials that enable lateral movement across fabric infrastructure.
Affected Products
- Cisco Nexus Dashboard Fabric Controller 12.1.3
- Cisco Nexus Dashboard Fabric Controller 12.1.3b
- Deployments with the Out-of-Band Plug and Play feature enabled
Discovery Timeline
- 2024-04-03 - CVE-2024-20348 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-20348
Vulnerability Analysis
The vulnerability resides in the Out-of-Band Plug and Play provisioning component of Cisco NDFC. The PnP feature exposes a web server intended to deliver bootstrap configuration to network devices during zero-touch provisioning. This server does not enforce authentication on file retrieval requests and does not properly canonicalize requested file paths.
An attacker reaches the provisioning endpoint over the network without credentials. By manipulating path components in HTTP requests, the attacker traverses outside the intended provisioning directory. The server returns file contents from arbitrary locations within the PnP container filesystem.
The attack does not require user interaction and runs at low complexity. The impact is limited to confidentiality, but the disclosed material often includes provisioning templates, device credentials, and configuration artifacts used to bootstrap fabric switches.
Root Cause
The root cause is twofold. First, the PnP provisioning web server lacks authentication controls on file access endpoints. Second, the file retrieval logic fails to sanitize directory traversal sequences such as ../ in request paths. Together these defects map to [CWE-22] and [CWE-27], allowing arbitrary file read from the container filesystem.
Attack Vector
Exploitation requires only network reachability to the NDFC PnP service. An attacker issues direct HTTP requests containing crafted relative path sequences to the provisioning endpoint. The server resolves the traversed path and returns the targeted file. No credentials, tokens, or prior foothold are required. The vulnerability is described in the Cisco Security Advisory cisco-sa-ndfc-dir-trav-SSn3AYDw.
Detection Methods for CVE-2024-20348
Indicators of Compromise
- HTTP requests to the NDFC PnP provisioning web server containing directory traversal sequences such as ../, ..%2f, or encoded variants
- Unauthenticated GET requests originating from unexpected source addresses to PnP endpoints
- Access log entries showing retrieval of files outside the standard PnP provisioning directory
- Outbound connections from the PnP container correlating with prior anomalous web access
Detection Strategies
- Inspect NDFC and PnP web server access logs for path traversal patterns and abnormal response sizes
- Deploy network IDS signatures that flag traversal sequences targeting the PnP provisioning port
- Baseline normal PnP request patterns from managed switches and alert on deviations from the expected User-Agent or source ranges
- Correlate provisioning server access with downstream configuration changes on fabric devices
Monitoring Recommendations
- Forward NDFC application and access logs to a centralized SIEM for retention and correlation
- Monitor management network segments for unauthorized hosts reaching the NDFC PnP service
- Track file access patterns within the PnP container to identify reads of sensitive credential or configuration files
How to Mitigate CVE-2024-20348
Immediate Actions Required
- Upgrade Cisco NDFC to a fixed release as identified in the Cisco Security Advisory
- Restrict network access to the NDFC PnP provisioning service to trusted management subnets only
- Audit PnP container contents and rotate any credentials or keys that may have been stored in provisioning artifacts
- Review access logs from the disclosure window for evidence of traversal attempts
Patch Information
Cisco has released fixed software for NDFC. Customers running versions 12.1.3 and 12.1.3b must upgrade to a patched release per the vendor advisory cisco-sa-ndfc-dir-trav-SSn3AYDw. No workaround fully addresses the issue without applying the fix.
Workarounds
- Disable the Out-of-Band Plug and Play feature on NDFC if it is not required for operations
- Place the NDFC management interface behind a firewall that permits inbound connections only from authorized provisioning sources
- Use network segmentation and ACLs to isolate the PnP provisioning port from general user networks
# Example access restriction on upstream firewall
# Permit only the management subnet to reach the NDFC PnP provisioning service
access-list NDFC_PNP permit tcp 10.10.20.0/24 host <ndfc-pnp-ip> eq <pnp-port>
access-list NDFC_PNP deny tcp any host <ndfc-pnp-ip> eq <pnp-port> log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
