Security
Headlines
HeadlinesLatestCVEs

Headline

Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers

Cisco on Wednesday released security patches for 45 vulnerabilities affecting a variety of products, some of which could be exploited to execute arbitrary actions with elevated permissions on affected systems. Of the 45 bugs, one security vulnerability is rated Critical, three are rated High, and 41 are rated Medium in severity. The most severe of the issues are CVE-2022-20857, CVE-2022-20858,

The Hacker News
#xss#csrf#vulnerability#web#cisco#dos#auth#ssl#The Hacker News

Cisco on Wednesday released security patches for 45 vulnerabilities affecting a variety of products, some of which could be exploited to execute arbitrary actions with elevated permissions on affected systems.

Of the 45 bugs, one security vulnerability is rated Critical, three are rated High, and 41 are rated Medium in severity.

The most severe of the issues are CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861, which impact Cisco Nexus Dashboard for data centers and cloud network infrastructures and could enable an “unauthenticated remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack.”

  • CVE-2022-20857 (CVSS score: 9.8) - Cisco Nexus Dashboard arbitrary command execution vulnerability
  • CVE-2022-20858 (CVSS score: 8.2) - Cisco Nexus Dashboard container image read and write vulnerability
  • CVE-2022-20861 (CVSS score: 8.8) - Cisco Nexus Dashboard cross-site request forgery (CSRF) vulnerability

All the three vulnerabilities, which were identified during internal security testing, affect Cisco Nexus Dashboard 1.1 and later, with fixes available in version 2.2(1e).

Another high-severity flaw relates to a vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard (CVE-2022-20860, CVSS score: 7.4) that could permit an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive information.

“An attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the controllers, and then using a crafted certificate to impersonate the controllers,” the company said in an advisory.

“A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers.”

Another set of five shortcomings in the Cisco Nexus Dashboard products concerns a mix of four privilege escalation flaws and an arbitrary file write vulnerability that could permit an authenticated attacker to gain root permissions and write arbitrary files to the devices.

Elsewhere resolved by Cisco are 35 vulnerabilities in its Small Business RV110W, RV130, RV130W, and RV215W routers that could equip an adversary already in possession of valid Administrator credentials with capabilities to run arbitrary code or cause a denial-of-service (DoS) condition by sending a specially crafted request to the web-based management interface.

Rounding off the patches is a fix for a cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco IoT Control Center that, if successfully weaponized, could enable an unauthenticated, remote attacker to stage an XSS attack against a user.

“An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,” Cisco said. “A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.”

Although none of the aforementioned vulnerabilities are said to be maliciously put to use in real-world attacks, it’s imperative that users of the affected appliances move quickly to apply the patches.

The updates also arrived less than two weeks after Cisco rolled out patches for 10 security flaws, including an arbitrary critical file overwrite vulnerability in Cisco Expressway Series and Cisco TelePresence Video Communication Server (CVE-2022-20812) that could lead to absolute path traversal attacks.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Cisco patches dangerous bug trio in Nexus Dashboard

Inadequate access control and CSRF protections spawn critical and high severity issues

CVE-2022-20861: Cisco Security Advisory: Cisco Nexus Dashboard Unauthorized Access Vulnerabilities

Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2022-20861: Cisco Security Advisory: Cisco Nexus Dashboard Unauthorized Access Vulnerabilities

Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2022-20860: Cisco Security Advisory: Cisco Nexus Dashboard SSL Certificate Validation Vulnerability

A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive information. This vulnerability exists because SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers. An attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the controllers, and then using a crafted certificate to impersonate the controllers. A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers.

CVE-2022-20861: Cisco Security Advisory: Cisco Nexus Dashboard Unauthorized Access Vulnerabilities

Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cisco and Fortinet Release Security Patches for Multiple Products

Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks. The issues, tracked as CVE-2022-20812 and CVE-2022-20813, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite