CVE-2024-7401

Description

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

High

Integrity (Subsequent System)

High

Availability (Subsequent System)

Low

Red

Affected products

Netskope / Netskope ClientAll – All

References

VENDOR_ADVISORYhttps://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2024-001
MISChttps://docs.netskope.com/en/secure-enrollment/
MISChttps://quickskope.com/