Cisco's September patch day: bugs swarm in IOS XE

Cisco has disclosed 14 high-severity bugs, most of which affect its IOS XE operating system.

A large number of the vulnerabilities are different kinds of denial-of-service.

CVE-2022-20837 is a bug in IOS XE’s NAT DNS implementation, and it allows an unauthenticated remote attacker to force the device to reload.

“This vulnerability is due to a logic error that occurs when an affected device inspects certain TCP DNS packets. An attacker could exploit this vulnerability by sending crafted DNS packets through the affected device that is performing NAT for DNS packets,” the advisory stated.

CVE-2022-20856 is another denial-of-service bug: control and provisioning messages to the wireless control software in the Catalyst 9000 family can be used to crash a target by causing resource exhaustion.

In CVE-2022-20915, the DoS attack is executed by sending crafted IPv6 packets that exploit a bug in IOS XE’s IPv6 VPN over MPLS implementation.

Common Industrial Protocol packets are insufficiently validated by IOS XE in CVE-2022-20919; IPv4 packets can crash various Catalyst switches running IOS XE in CVE-2022-20870; and IOS’s or IOS XE’s SSH processing can be attacked in CVE-2022-20920.

The IOS XE wireless controller’s DHCP capability can be abused in some Catalyst switches (CVE-2022-20847), and UDP processing on some Catalyst 9100 access points can be crashed (CVE-2022-20848).

The company’s AireOS wireless LAN controller software can also be hosed with crafted packets, in CVE-2022-20769.

Code execution

If an attacker is more interested in arbitrary code execution, they could try and exploit CVE-2022-20855. 

This bug exists in the self-healing functionality of Cisco IOS XE Software for Embedded wireless controllers on Catalyst access points: an authenticated local attacker can escape the shell and execute commands on the AP’s operating system as root.

CVE-2022-20944 is another code execution bug, but it’s not easy to exploit. Cisco IOS XE for Catalyst 9200 switches allows an “unauthenticated, physical attacker to execute unsigned code at system boot time”.

The bug would enable a supply chain attack – someone between vendor and customer could load malicious software on a switch, for example, because they can bypass the software image verification process.

The last of the high-severity bugs is in Cisco’s SD-WAN controller: in CVE-2022-20775 and CVE-2022-20818, the command line interface has improper access controls, letting an attacker execute arbitrary commands as root.

Another eight medium-severity bugs were listed this week here.