Cisco on Wednesday launched safety patches for 45 vulnerabilities affecting quite a lot of merchandise, a few of which might be exploited to execute arbitrary actions with elevated permissions on affected techniques.
Of the 45 bugs, one safety vulnerability is rated Important, three are rated Excessive, and 41 are rated Medium in severity.
The most extreme of the problems are CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861, which influence Cisco Nexus Dashboard for knowledge facilities and cloud community infrastructures and will allow an “unauthenticated distant attacker to execute arbitrary instructions, learn or add container picture information, or carry out a cross-site request forgery assault.”
- CVE-2022-20857 (CVSS rating: 9.8) – Cisco Nexus Dashboard arbitrary command execution vulnerability
- CVE-2022-20858 (CVSS rating: 8.2) – Cisco Nexus Dashboard container picture learn and write vulnerability
- CVE-2022-20861 (CVSS rating: 8.8) – Cisco Nexus Dashboard cross-site request forgery (CSRF) vulnerability
All of the three vulnerabilities, which had been recognized throughout inside safety testing, have an effect on Cisco Nexus Dashboard 1.1 and later, with fixes obtainable in model 2.2(1e).
One other high-severity flaw pertains to a vulnerability within the SSL/TLS implementation of Cisco Nexus Dashboard (CVE-2022-20860, CVSS rating: 7.4) that might allow an unauthenticated, distant attacker to change communications with related controllers or view delicate data.
“An attacker may exploit this vulnerability by utilizing man-in-the-middle methods to intercept the visitors between the affected gadget and the controllers, after which utilizing a crafted certificates to impersonate the controllers,” the corporate mentioned in an advisory.
“A profitable exploit may enable the attacker to change communications between gadgets or view delicate data, together with Administrator credentials for these controllers.”
One other set of 5 shortcomings within the Cisco Nexus Dashboard merchandise issues a mixture of 4 privilege escalation flaws and an arbitrary file write vulnerability that might allow an authenticated attacker to realize root permissions and write arbitrary information to the gadgets.
Elsewhere resolved by Cisco are 35 vulnerabilities in its Small Enterprise RV110W, RV130, RV130W, and RV215W routers that might equip an adversary already in possession of legitimate Administrator credentials with capabilities to run arbitrary code or trigger a denial-of-service (DoS) situation by sending a specifically crafted request to the web-based administration interface.
Rounding off the patches is a repair for a cross-site scripting (XSS) vulnerability within the web-based administration interface of Cisco IoT Management Middle that, if efficiently weaponized, may allow an unauthenticated, distant attacker to stage an XSS assault towards a consumer.
“An attacker may exploit this vulnerability by persuading a consumer of the interface to click on a crafted hyperlink,” Cisco mentioned. “A profitable exploit may enable the attacker to execute arbitrary script code within the context of the affected interface or entry delicate, browser-based data.”
Though not one of the aforementioned vulnerabilities are mentioned to be maliciously put to make use of in real-world assaults, it is crucial that customers of the affected home equipment transfer rapidly to use the patches.
The updates additionally arrived lower than two weeks after Cisco rolled out patches for 10 safety flaws, together with an arbitrary essential file overwrite vulnerability in Cisco Expressway Collection and Cisco TelePresence Video Communication Server (CVE-2022-20812) that might result in absolute path traversal assaults.
