Cisco data centre management software needs vulnerabilities patched

It’s Cisco patch day for Nexus Dashboard customers, with multiple critical vulnerabilities uncovered.

The Nexus Dashboard is a monitoring suite for data centre infrastructure, and Cisco has found one bug with a critical rating, three high-severity bugs, and four medium-severity bugs in the system.

This advisory details CVE-2022-20857, CVE-2022-20861, and CVE-2022-20858.

CVE-2022-20857, the critical vulnerability, is a flaw in an unspecified API, that gives an unauthenticated attacker remote code execution access over the data network, by sending crafted HTTP requests.

The advisory warns that “successful exploit could allow the attacker to execute arbitrary commands as the root user in any pod on a node”.

CVE-2022-20861 is a cross-site request forgery vulnerability rated as high severity, because an exploit “could allow the attacker to perform actions with administrator privileges on an affected device.”

The attacker would have to persuade an authenticated administrator to click on a malicious link, and would have to have access to the management network.

CVE-2022-20858, also rated high severity, could allow an “unauthenticated, remote attacker to access a service that is running in the data and management networks on an affected device”.

Cisco discovered that a service that manages container images has insufficient access controls, letting an attacker download container images, or upload malicious container images to an affected device. 

“The malicious images would be run after the device has rebooted or a pod has restarted”, the advisory stated.

In this advisory (CVE-2022-20860), Cisco details a flaw in the SSL/TLS implementation used by Nexus Dashboard.

“SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers”, the advisory explained.

A person-in-the-middle could impersonate the controllers, alter communications between devices, and view sensitive information like administrator credentials.

The third advisory details three bugs, CVE-2022-20906, CVE-2022-2090 and CVE-2022-20908, rated as medium severity because they offer a local, authenticated attacker to escalate their privileges.

“These vulnerabilities are due to insufficient input validation during CLI command execution on an affected device,” the advisory explains.

“An attacker could exploit these vulnerabilities by authenticating as the rescue-user and executing vulnerable CLI commands using a malicious payload.”

Similarly, CVE-2022-20913 is only exploitable by a local authenticated attacker, who could write arbitrary files on an affected device, and is rated as medium severity.

Nexus Dashboard users need to migrate to Version 2.2 to address these vulnerabilities.