Cisco patches vulnerable operating systems

Cisco has shipped patches for three high-severity vulnerabilities in various software products.

The FXOS software that powers the vendor’s Firepower security products, and the NX-OS software in various Cisco switch products, share a vulnerability that exposes products to denial-of-service and arbitrary code execution as root.

CVE-2022-20824 affects the operating systems’ discovery protocol, and is exploitable by an “unauthenticated, adjacent attacker”.

An input validation failure means an attacker can send a malicious packet to the affected devices, which include two Firepower appliances, one MDS multilayer switch, ten Nexus series switches, and three UCS Series fabric interconnect series.

The company warns that in all affected products except some configurations of the Nexus 9000, Cisco Discovery Protocol is enabled by default.

Firepower 1000 and Firepower 2100 series products are not affected.

The bug was reported by an anonymous researcher working with the Dutch National Cyber Security Centre.

NX-OS is also vulnerable to an OSPFv3 denial-of-service vulnerability, reported as CVE-2022-20823.

Because of “incomplete input validation” of OSPFv3 link-state advertisements, an attacker can “cause the OSPFv3 process to crash and restart multiple times, causing the affected device to reload”.

The severity of the bug is mitigated by the conditions required to exploit it: OSPFv3 has to be enabled, and “an attacker must be able to establish a full OSPFv3 neighbor state with an affected device.

This requires the attacker to use OSPFv3 parameters that are compatible with the affected device, including valid authentication information if OSPFv3 authentication is configured on the device.”

The vulnerability was discovered by Cisco’s Sivasankar Sundararaj.

The other high severity bug is in Cisco’s ACI Multi-Site Orchestrator.

CVE-2022-20921 is a privilege escalation bug that exists because of improper authorisation on “specific APIs”.

A crafted HTTP request “could allow an attacker who is authenticated with non-Administrator privileges to elevate to Administrator privileges on an affected device,” Cisco’s advisory said.

The vulnerability was reported to Cisco by Vipin Chaudhary of Securify, and the vendor says proof-of-concept code is available.