Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-24484, CVE-2022-26784.

CVE-2022-24538

Microsoft Defender Denial of Service Vulnerability.

CVE-2022-24548

Windows Secure Channel Denial of Service Vulnerability.

CVE-2022-26915

CVE-2022-26924

Windows LDAP Denial of Service Vulnerability.

CVE-2022-26831

.NET Framework Denial of Service Vulnerability.

CVE-2022-26832

An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS GT.M through V7.0-000. Using crafted input, attackers can cause a type to be incorrectly initialized in the function f_incr in sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.

CVE-2021-44492: GT.M V7.0-002 Release Notes

A denial of service vulnerability exists in the parseNormalModeParameters functionality of MZ Automation GmbH libiec61850 1.5.0. A specially-crafted series of network requests can lead to denial of service. An attacker can send a sequence of malformed iec61850 messages to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the parseNormalModeParameters functionality of MZ Automation GmbH libiec61850 1.5.0. A specially-crafted series of network requests can lead to denial of service. An attacker can send a sequence of malformed iec61850 messages to trigger this vulnerability.

**Tested Versions**

MZ Automation GmbH libiec61850 1.5.0

**Product URLs**

libiec61850 - https://github.com/mz-automation/libiec61850

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-835 - Loop with Unreachable Exit Condition (‘Infinite Loop’)

**Details**

libiec61850 is a C implementation of the various protocols defined within the IEC61850 specification. Example client/server applications are provided for common use cases. This library can also be used as a building block to integrate IEC61850 communications into a custom client/server application.

When an IEC61850 message containing a Presentation layer with Normal Mode parameters is processed, execution enters the `parseNormalModeParameters` function in `iso_presentation.c`. This function loops over the message buffer starting from a provided `bufPos` position until the `endPos` position is reached or a failure case is encountered. At the start of each iteration, the BER tag for the current parameter is extracted from the buffer, as shown below.

    static int
    parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
    {
        int endPos = bufPos + totalLength;
    
        self->calledPresentationSelector.size = 0;
        self->callingPresentationSelector.size = 0;
    
        bool hasUserData = false;
    
        while (bufPos < endPos) {
            uint8_t tag = buffer[bufPos++];
            int len;
    
            if (bufPos == endPos) {
                if (DEBUG_PRES)
                    printf("PRES: invalid message\n");
                return -1;
            }
    
            bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);
    

The value of this tag determines how the bytes following should be processed. Three cases in particular are notable: 0xA4, 0x00 and the default.

When the tag 0x00 is encountered, execution just continues on to the next loop iteration and starts processing the next tag. In this case the `bufPos` variable will be incremented by one when the next tag is read.

    case 0x00: /* indefinite length end tag -> ignore */
    break;
    

When an unknown tag is encountered, the buffer position is incremented to skip past it, and execution continues on to the next loop iteration and starts processing the next tag. This allows for longer position jumps within the buffer.

    default:
        if (DEBUG_PRES)
            printf("PRES: unknown tag in normal-mode\n");
    
        bufPos += len;
        break;
    

When the `presentation-context-definition list` parameter (0xA4) is encountered, the function `parsePresentationContextDefinitionList` is used to perform additional parsing. Notably, the result of `parsePresentationContextDefinitionList` gets placed into the `bufPos` variable and is not checked before the next loop iteration.

    case 0xa4: /* presentation-context-definition list */
        if (DEBUG_PRES)
            printf("PRES: pcd list\n");
    
        bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
        break;
    

`parsePresentationContextDefinitionList` starts off by calculating the end of the presentation-context-definition list before entering a processing loop where the next tag is extracted and its length decoded.

    static int
    parsePresentationContextDefinitionList(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
    {
        int endPos = bufPos + totalLength;
    
        while (bufPos < endPos) {
            uint8_t tag = buffer[bufPos++];
            int len;
    
            bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);
            if (bufPos < 0)
                return -1;
    

`BerDecoder_decodeLength` starts recursively processing the length, returning the result.

    int
    BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
    {
        return BerDecoder_decodeLengthRecursive(buffer, length, bufPos, maxBufPos, 0, 50);
    }
    

Finally, `BerDecoder_decodeLengthRecursive` is called, and a check is made to determine if the current position is greater than or equal to the maximum allowed buffer. When it is determined to be so, `-1` is returned.

    static int
    BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth)
    {
        if (bufPos >= maxBufPos){
            return -1;
        }
    

When this occurs, `-1` gets returned up the chain to `parsePresentationContextDefinitionList`.

    static int
    parsePresentationContextDefinitionList(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
    {
        int endPos = bufPos + totalLength;
    
        while (bufPos < endPos) {
            uint8_t tag = buffer[bufPos++];
            int len;
    
            bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);
            if (bufPos < 0)
                return -1;
    

Here `bufPos` is determined to be less than zero and `-1` is again returned, this time back to the `presentation-context-definition list` case within `parseNormalModeParameters`.

    case 0xa4: /* presentation-context-definition list */
        if (DEBUG_PRES)
            printf("PRES: pcd list\n");
    
        bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
        break;
    

This leaves `bufPos` set to `-1` at the start of the next loop iteration, allowing the while condition to pass and begin again.

    static int
    parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
    {
        int endPos = bufPos + totalLength;
    
        self->calledPresentationSelector.size = 0;
        self->callingPresentationSelector.size = 0;
    
        bool hasUserData = false;
    
        while (bufPos < endPos) {
            uint8_t tag = buffer[bufPos++];
            int len;
    

If a message is properly constructed such that `len` and `bufPos` add together to equal `endPos`, the failure case in `BerDecoder_decodeLengthRecursive` will be hit and `bufPos` will be set to `-1`. Then as long as nothing within the buffer causes `bufPos` to be greater than `endPos`, and the `presentation-context-definition list` continues to be executed. An infinite loop condition will be reached.

Since each connection is handled in its own thread, one of these messages will not be enough to cause a denial of service. However, by sending the message multiple times it is possible to tie up all of the available connections and prevent legitimate communications from getting through to the server. The maximum number of client connections is set to a default value of 100 in `stack_config.h`, as shown below:

    /* number of concurrent MMS client connections the server accepts, -1 for no limit */
    #define CONFIG_MAXIMUM_TCP_CLIENT_CONNECTIONS 100
    

If at least `CONFIG_MAXIMUM_TCP_CLIENT_CONNECTIONS` malformed messages are sent, all available connections will be stuck in infinite loops, preventing any new connections from being processed

**Crash Information**

When a known good MMS Initiate Request message is sent to the server, an Initiate Response message is expected to be returned.

    "No.","Time","Source","Destination","Protocol","Length","Info"
    "1","0.000000000","127.0.0.1","127.0.0.1","TCP","74","46602  >  102 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=3775924408 TSecr=0 WS=128"
    "2","0.000010190","127.0.0.1","127.0.0.1","TCP","74","102  >  46602 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3775924408 TSecr=3775924408 WS=128"
    "3","0.000019233","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3775924408 TSecr=3775924408"
    "4","0.000144676","127.0.0.1","127.0.0.1","MMS","263","initiate-RequestPDU "
    "5","0.000149145","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3775924408 TSecr=3775924408"
    "6","0.000207725","127.0.0.1","127.0.0.1","MMS","208","initiate-ResponsePDU "
    "7","0.000228681","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=198 Ack=143 Win=65408 Len=0 TSval=3775924408 TSecr=3775924408"
    "8","0.000280524","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [FIN, ACK] Seq=198 Ack=143 Win=65536 Len=0 TSval=3775924408 TSecr=3775924408"
    "9","0.042521649","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [ACK] Seq=143 Ack=199 Win=65536 Len=0 TSval=3775924450 TSecr=3775924408"
    "10","0.042576068","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [FIN, ACK] Seq=143 Ack=199 Win=65536 Len=0 TSval=3775924450 TSecr=3775924408"
    "11","0.042668070","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=199 Ack=144 Win=65536 Len=0 TSval=3775924450 TSecr=3775924450"
    

After the poc has been run and all available client connections are stuck in a loop, a TCP Reset is received instead of an Initiate Response message.

    "No.","Time","Source","Destination","Protocol","Length","Info"
    "1408","35.098853688","127.0.0.1","127.0.0.1","TCP","74","46810  >  102 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=3776076062 TSecr=0 WS=128"
    "1409","35.098869281","127.0.0.1","127.0.0.1","TCP","74","102  >  46810 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3776076062 TSecr=3776076062 WS=128"
    "1410","35.098881077","127.0.0.1","127.0.0.1","TCP","66","46810  >  102 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3776076062 TSecr=3776076062"
    "1411","35.098929987","127.0.0.1","127.0.0.1","MMS","263","initiate-RequestPDU "
    "1412","35.098934721","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3776076062 TSecr=3776076062"
    "1413","35.099298315","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [FIN, ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3776076063 TSecr=3776076062"
    "1414","35.099328069","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [RST, ACK] Seq=2 Ack=198 Win=65536 Len=0 TSval=3776076063 TSecr=3776076062"
    

**Mitigation**

The `presentation-context-definition list` case could check for failure similar to how the `user data` parameter (0x61) checks the `bufPos` value before allowing execution to continue. A diff including this suggested update is shown below:

    user@machine:~$ git diff
    diff --git a/src/mms/iso_presentation/iso_presentation.c b/src/mms/iso_presentation/iso_presentation.c
    index 96fd8a3..38cb9c1 100644
    --- a/src/mms/iso_presentation/iso_presentation.c
    +++ b/src/mms/iso_presentation/iso_presentation.c
    @@ -469,6 +469,11 @@ parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLengt
                 if (DEBUG_PRES)
                     printf("PRES: pcd list\n");
                 bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
    +
    +            if (bufPos < 0){
    +                return -1;
    +            }
    +
                 break;
     
             case 0xa5: /* context-definition-result-list */
    user@machine:~$
    

**Timeline**

2022-02-28 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-21159: TALOS-2022-1467 || Cisco Talos Intelligence Group

A vulnerability in the Application Visibility and Control (AVC-FNF) feature of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature. An attacker could exploit this vulnerability by sending crafted packets from the wired network to a wireless client, resulting in the crafted packets being processed by the wireless controller. A successful exploit could allow the attacker to cause a crash and reload of the affected device, resulting in a DoS condition.

*   Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Cisco IOS and IOS XE Software**
    
    To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
    
    Customers can use the Cisco Software Checker to search advisories in the following ways:
    
    *   Choose the software and one or more releases
    *   Upload a .txt file that includes a list of specific releases
    *   Enter the output of the **show version** command
    
    After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication.
    
    Customers can also use the following form to determine whether a release is affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE Software release-for example, **15.1(4)M2** or **3.13.8S**:
    
    By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the **Medium** check box in the drop-down list under **Impact Rating** when customizing a search.

CVE-2022-20683: Cisco Security Advisory: Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Application Visibility and Control Denial of Service Vulnerability

Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory.

*   The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
    
    Details about the vulnerabilities are as follows:
    
    **CVE-2022-20718: Cisco IOx Application Hosting Environment Parameter Injection Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to execute a parameter injection using the Cisco IOx API.
    
    This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary code as _root_ on the underlying host operating system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy35913  
    CVE ID: CVE-2022-20718  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20719: Cisco IOx Application Hosting Environment Parameter Injection Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to execute a parameter injection using the Cisco IOx API.
    
    This vulnerability is due to incomplete sanitization of parameters that are passed in as part of the IOx package descriptor. An attacker could exploit this vulnerability by crafting an IOx package descriptor file and then building and deploying an application in the Cisco IOx application hosting environment. A successful exploit could allow the attacker to execute arbitrary code as _root_ on the underlying host operating system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86583  
    CVE ID: CVE-2022-20719  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20720: Cisco IOx Application Hosting Environment Path Traversal Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read or write arbitrary data on the underlying host operating system.
    
    This vulnerability exists because a real path check is not performed on the requested data. An attacker could exploit this vulnerability by creating a symbolic link within the deployed application and requesting data using the API. A successful exploit could allow the attacker to read or execute arbitrary code as _root_ on the underlying host operating system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy30957  
    CVE ID: CVE-2022-20720  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20723: Cisco IOx Application Hosting Environment Arbitrary Code Execution Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to execute arbitrary code on the underlying host operating system.
    
    This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary code as _root_ on the underlying host operating system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86603  
    CVE ID: CVE-2022-20723  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20725: Cisco IOx Application Hosting Environment Cross-Site Scripting Vulnerability**
    
    A vulnerability in the web-based Local Manager interface of the Cisco IOx application hosting environment could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials.
    
    This vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface. An attacker could exploit this vulnerability by injecting malicious code into a system settings tab. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86608  
    CVE ID: CVE-2022-20725  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
    
    **CVE-2022-20724: Cisco IOx Application Hosting Environment User Impersonation Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an unauthenticated, remote attacker to bypass authentication and impersonate another authenticated user session.
    
    This vulnerability is due to a race condition for allocation of the token. An attacker could exploit this vulnerability by constantly trying a call to the upload API, and if the calls occur at the same time as an authorized administrator deploying an application, the attacker may race the token and be given the ability to bypass authentication. A successful exploit could allow the attacker to bypass authentication.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86604  
    CVE ID: CVE-2022-20724  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.3  
    CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
    
    **CVE-2022-20726:** **Cisco IOx Application Hosting Environment Denial of Service Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Modules, and Cisco IC3000 Industrial Compute Gateways could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
    
    This vulnerability is due to insufficient error handling of socket operations. An attacker could exploit this vulnerability by sending a sustained rate of crated TCP traffic to the IOx web server on an affected device. A successful exploit could allow the attacker to cause the IOx web server to stop processing requests, resulting in a DoS condition.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvx27640  
    CVE ID: CVE-2022-20726  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.3  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
    
    **CVE-2022-20677: Cisco IOS XE Software Privilege Escalation Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment in Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges from privilege level 15 to _root_ on an affected device.
    
    This vulnerability is due to incomplete file protection for the Cisco IOx application hosting environment. An attacker could exploit this vulnerability by modifying the file system with a crafted payload. A successful exploit could allow the attacker to execute arbitrary commands as _root_.
    
    Bug ID(s): CSCvy30903 CSCvy16608  
    CVE ID: CVE-2022-20677  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.1  
    CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20727: Cisco IOx Application Hosting Environment Privilege Escalation**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, local attacker to gain escalated privileges.
    
    This vulnerability is due to improper input validation when loading Cisco IOx applications. An attacker could exploit this vulnerability by modifying application content while a Cisco IOx application is loading. A successful exploit could allow the attacker to gain privileges equivalent to the _root_ user.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy35914  
    CVE ID: CVE-2022-20727  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.1  
    CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
    
    **CVE-2022-20721: Cisco IOx Application Hosting Environment Arbitrary File Read Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system.
    
    This vulnerability is due to insufficient path validation of command arguments within the Cisco IOx API. An attacker could exploit this vulnerability by sending a crafted command request using the API. A successful exploit could allow the attacker to read the contents of any file that is located on the host device filesystem.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86598  
    CVE ID: CVE-2022-20721  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 4.9  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    
    **CVE-2022-20722: Cisco IOx Application Hosting Environment Path Traversal Vulnerability**
    
    A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read arbitrary files from the underlying host filesystem.
    
    This vulnerability is due to insufficient path validation of command arguments within the Cisco IOx API. An attacker could exploit this vulnerability by sending a crafted command request using the API. A successful exploit could allow the attacker to read the contents of any file that is located on the underlying host filesystem.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCvy86602  
    CVE ID: CVE-2022-20722  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 4.9  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    Cisco Platform
    
    First Fixed Release
    
    800 Series Industrial ISRs
    
    Cisco IOS Software Release 15.9(3)M5 and later.
    
    800 Series ISRs
    
    Not fixed; IOx has reached end of life on Cisco 800 Series ISRs.
    
    CGR1000 Compute Modules
    
    IOx image for CGR1000 Compute Module 1.15.0.1
    
    IC3000 Industrial Compute Gateways
    
    Industrial Compute Gateway Software Release 1.4.1
    
    IE 4000 Series Switches
    
    Not fixed; IOx has reached end of life on the Cisco IE 4000 Series Switches.
    
    IOS XE-based devices configured with IOx
    
    Cisco IOS XE Software releases:
    
    *   16.12(7) (All but CSCvy16608 are resolved in 16.12(6))
    *   17.3(5)
    *   17.6(2)
    *   17.7(1) and later
    
    For more information, see the Cisco IOS and IOS XE Software Checker section below.
    
    IR510 WPAN Industrial Routers
    
    IR510 Operating System 6.5.9
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
    
    **Cisco IOS and IOS XE Software**
    
    To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
    
    Customers can use the Cisco Software Checker to search advisories in the following ways:
    
    *   Choose the software and one or more releases
    *   Upload a .txt file that includes a list of specific releases
    *   Enter the output of the **show version** command
    
    After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication.
    
    Customers can also use the following form to determine whether a release is affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE Software release-for example, **15.1(4)M2** or **3.13.8S**:
    
    By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the **Medium** check box in the drop-down list under **Impact Rating** when customizing a search.

Tag

#dos