Security News > 2022 > February > New Flaws Discovered in Cisco's Network Operating System for Switches

New Flaws Discovered in Cisco's Network Operating System for Switches
2022-02-24 21:06

Cisco has released software updates to address four security vulnerabilities in its software that could be weaponized by malicious actors to take control of affected systems.

The most critical of the flaws is CVE-2022-20650, which relates to a command injection flaw in the NX-API feature of Cisco NX-OS Software that stems from a lack of sufficient input validation of user-supplied data.

"An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device," Cisco said.

Also patched are two high-severity denial-of-service bugs in NX-OS - CVE-2022-20624 and CVE-2022-20623 - found in the Cisco Fabric Services Over IP and Bidirectional Forwarding Detection traffic functions.

CVE-2022-20624, which was reported to Cisco by the U.S. National Security Agency, impacts Nexus 3000 and 9000 Series Switches and UCS 6400 Series Fabric Interconnects, assuming CFSoIP is enabled.

Lastly, the networking equipment maker also patched a third DoS vulnerability in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software, which could "Allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service condition."


News URL

https://thehackernews.com/2022/02/new-flaws-discovered-in-ciscos-network.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-23 CVE-2022-20650 OS Command Injection vulnerability in Cisco Nx-Os 10.2(1.72)/7.3(8)N1(0.4)
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges.
network
low complexity
cisco CWE-78
8.8
2022-02-23 CVE-2022-20624 Improper Input Validation vulnerability in Cisco Nx-Os
A vulnerability in the Cisco Fabric Services over IP (CFSoIP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
network
low complexity
cisco CWE-20
7.5
2022-02-23 CVE-2022-20623 Unspecified vulnerability in Cisco Nx-Os
A vulnerability in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software for Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device.
network
low complexity
cisco
7.5