Cisco has introduced computer software updates to tackle 4 security vulnerabilities in its application that could be weaponized by malicious actors to acquire command of affected units.
The most critical of the flaws is CVE-2022-20650 (CVSS score: 8.8), which relates to a command injection flaw in the NX-API function of Cisco NX-OS Software program that stems from a lack of enough input validation of consumer-provided facts.
“An attacker could exploit this vulnerability by sending a crafted HTTP Put up ask for to the NX-API of an influenced unit,” Cisco mentioned. “A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying running program.”
The flaw impacts Nexus 3000 Collection Switches, Nexus 5500 System Switches, Nexus 5600 Platform Switches, Nexus 6000 Sequence Switches, and Nexus 9000 Series Switches in standalone NX-OS method working Cisco NX-OS Program that have the NX-API attribute enabled.
Also patched are two high-severity denial-of-service (DoS) bugs in NX-OS โ CVE-2022-20624 and CVE-2022-20623 (CVSS scores: 8.6) โ observed in the Cisco Cloth Solutions About IP (CFSoIP) and Bidirectional Forwarding Detection (BFD) traffic functions.
CVE-2022-20624, which was reported to Cisco by the U.S. National Security Agency (NSA), impacts Nexus 3000 and 9000 Sequence Switches and UCS 6400 Sequence Fabric Interconnects, assuming CFSoIP is enabled. CVE-2022-20623, on the other hand, only affects Nexus 9000 Sequence Switches that have BFD toggled on.
And finally, the networking devices maker also patched a third DoS vulnerability (CVE-2022-20625, CVSS rating: 4.3) in the Cisco Discovery Protocol services of Cisco FXOS Software and Cisco NX-OS Software program, which could “enable an unauthenticated, adjacent attacker to induce the service to restart, resulting in a denial of support (DoS) problem.”
Cisco claimed that it is not aware of “any public bulletins or malicious use” of the aforementioned vulnerabilities. That said, it really is suggested that people move quickly to apply the required updates to prevent opportunity actual-environment exploitation.
Found this write-up intriguing? Follow THN on Fb, Twitter ๏ and LinkedIn to go through much more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com