Cisco on Wednesday rolled out patches to handle three safety flaws affecting its merchandise, together with a high-severity weak point disclosed in NVIDIA Information Airplane Growth Equipment (MLNX_DPDK) late final month.
Tracked as CVE-2022-28199 (CVSS rating: 8.6), the vulnerability stems from a scarcity of correct error dealing with in DPDK’s community stack, enabling a distant adversary to set off a denial-of-service (DoS) situation and trigger an influence on information integrity and confidentiality.
“If an error situation is noticed on the machine interface, the machine might both reload or fail to obtain visitors, leading to a denial-of-service (DoS) situation,” Cisco mentioned in a discover revealed on September 7.
DPDK refers to a set of libraries and optimized community interface card (NIC) drivers for quick packet processing, providing a framework and customary API for high-speed networking functions.
Cisco mentioned it investigated its product lineup and decided the next providers to be affected by the bug, prompting the networking tools maker to launch software program updates –
- Cisco Catalyst 8000V Edge Software program
- Adaptive Safety Digital Equipment (ASAv), and
- Safe Firewall Risk Protection Digital (previously FTDv)
Except for CVE-2022-28199, Cisco has additionally resolved a vulnerability in its Cisco SD-WAN vManage Software program that would “permit an unauthenticated, adjoining attacker who has entry to the VPN0 logical community to additionally entry the messaging service ports on an affected system.”
The corporate blamed the shortcoming – assigned the identifier CVE-2022-20696 (CVSS rating: 7.5) – on the absence of “ample safety mechanisms” within the messaging server container ports. It credited Orange Enterprise for reporting the vulnerability.
Profitable exploitation of the flaw may allow the attacker to view and inject messages into the messaging service, which might trigger configuration modifications or trigger the system to reload, Cisco mentioned.
A 3rd flaw remediated by Cisco is a vulnerability within the messaging interface of Cisco Webex App (CVE-2022-20863, CVSS rating: 4.3), which may allow an unauthenticated, distant attacker to change hyperlinks or different content material and conduct phishing assaults.
“This vulnerability exists as a result of the affected software program doesn’t correctly deal with character rendering,” it mentioned. “An attacker may exploit this vulnerability by sending messages inside the software interface.”
Cisco credited Rex, Bruce, and Zachery from Binance Crimson Staff for locating and reporting the vulnerability.
Lastly, it additionally disclosed particulars of an authentication bypass bug (CVE-2022-20923, CVSS rating: 4.0) affecting Cisco Small Enterprise RV110W, RV130, RV130W, and RV215W Routers, which it mentioned is not going to be fastened owing to the merchandise reaching end-of-life (EOL).
“Cisco has not launched and won’t launch software program updates to handle the vulnerability,” it mentioned, encouraging customers to “migrate to Cisco Small Enterprise RV132W, RV160, or RV160W Routers.”