Headline
Cisco and Fortinet Release Security Patches for Multiple Products
Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks. The issues, tracked as CVE-2022-20812 and CVE-2022-20813, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite
Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks.
The issues, tracked as CVE-2022-20812 and CVE-2022-20813, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and “could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device,” the company said in an advisory.
CVE-2022-20812 (CVSS score: 9.0), which concerns a case of arbitrary file overwrite in the cluster database API, requires the authenticated, remote attacker to have Administrator read-write privileges on the application so as to be able to mount path traversal attacks as a root user.
“This vulnerability is due to insufficient input validation of user-supplied command arguments,” the company said. “An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command.”
Successful exploitation of the flaw could enable the adversary to overwrite arbitrary files on the underlying operating system.
CVE-2022-20813 (CVSS score: 7.4), on the other hand, has been described as a null byte poisoning flaw arising due to improper certificate validation, which could be weaponized by an attacker to stage a man-in-the-middle (MitM) attack and gain unauthorized access to sensitive data.
Also patched by Cisco is a high-severity flaw in its Smart Software Manager On-Prem (CVE-2022-20808, CVSS score: 7.7) that could be abused by an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Fortinet issues fixes for several products
In a related development, Fortinet addressed multiple high-severity vulnerabilities affecting FortiAnalyzer, FortiClient, FortiDeceptor, and FortiNAC -
- CVE-2021-43072 (CVSS score: 7.4) - Stack-based buffer overflow via crafted CLI execute command in FortiAnalyzer, FortiManager, FortiOS and FortiProxy
- CVE-2021-41031 (CVSS score: 7.8) - Privilege Escalation via directory traversal attack in FortiClient for Windows
- CVE-2022-30302 (CVSS score: 7.9) - Multiple path traversal vulnerabilities in FortiDeceptor management interface, and
- CVE-2022-26117 (CVSS score: 8.0) - Unprotected MySQL root account in FortiNAC
Should the flaws be successfully exploited, it may allow an authenticated attacker to execute arbitrary code, retrieve and delete files, and access MySQL databases, or even permit a local unprivileged actor to escalate to SYSTEM permissions.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiAnalyzer version 7.0.2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6.0.11 and below, version 5.6.11 and below, FortiManager version 7.0.2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6.0.11 and below, version 5.6.11 and below, FortiOS version 7.0.0 through 7.0.4, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.x and FortiProxy version 7.0.0 through 7.0.3, 2.0.0 through 2.0.8, 1.2.x, 1.1.x and 1.0.x allows attacker to execute unauthorized code or commands via crafted CLI `execute restore image` and `execute certificate remote` operations with the tFTP protocol.
Cisco on Wednesday released security patches for 45 vulnerabilities affecting a variety of products, some of which could be exploited to execute arbitrary actions with elevated permissions on affected systems. Of the 45 bugs, one security vulnerability is rated Critical, three are rated High, and 41 are rated Medium in severity. The most severe of the issues are CVE-2022-20857, CVE-2022-20858,
Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.
An empty password in configuration file vulnerability [CWE-258] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.3 and below may allow an authenticated attacker to access the MySQL databases via the CLI.
A relative path traversal vulnerability [CWE-23] in FortiClient for Windows versions 7.0.2 and prior, 6.4.6 and prior and 6.2.9 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for FortiESNAC service.
Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.
Four high, six medium, and one low severity issue fixed
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco Expressway Series refers to the Expressway Control (Expressway-C) device and the Expressway Edge (Expressway-E) device. For more information about these vulnerabilities, see the Details section of this advisory.
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to incorrect handling of multiple simultaneous device registrations on Cisco SSM On-Prem. An attacker could exploit this vulnerability by sending multiple device registration requests to Cisco SSM On-Prem. A successful exploit could allow the attacker to cause a DoS condition on an affected device.