Security News > 2022 > February > New Flaws Discovered in Cisco's Network Operating System for Switches

Cisco has released software updates to address four security vulnerabilities in its software that could be weaponized by malicious actors to take control of affected systems.

The most critical of the flaws is CVE-2022-20650, which relates to a command injection flaw in the NX-API feature of Cisco NX-OS Software that stems from a lack of sufficient input validation of user-supplied data.

"An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device," Cisco said.

Also patched are two high-severity denial-of-service bugs in NX-OS - CVE-2022-20624 and CVE-2022-20623 - found in the Cisco Fabric Services Over IP and Bidirectional Forwarding Detection traffic functions.

CVE-2022-20624, which was reported to Cisco by the U.S. National Security Agency, impacts Nexus 3000 and 9000 Series Switches and UCS 6400 Series Fabric Interconnects, assuming CFSoIP is enabled.

Lastly, the networking equipment maker also patched a third DoS vulnerability in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software, which could "Allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service condition."

News URL

https://thehackernews.com/2022/02/new-flaws-discovered-in-ciscos-network.html