Technology
Cisco patches dangerous bug trio in Nexus Dashboard
Inadequate access control and CSRF protections spawn critical and high severity issues.
Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery (CSRF) attacks.
Discovered via internal testing, the trio of unauthenticated bugs – one critical, two high severity – have been patched in the data center management platform’s latest software update.
Cisco said it was not aware of any in-the-wild malicious abuse of the vulnerability.
Vulnerable API
The most severe issue, notching a critical CVSS score of 9.8, could allow an attacker to access a vulnerable API running in the data network and execute arbitrary commands (CVE-2022-20857).
The vulnerability can be abused by sending crafted HTTP requests to the API, which, thanks to insufficient access controls, means an attacker can “execute arbitrary commands as the root user in any pod on a node”, reads a security advisory published on July 20.
The most severe of two high severity issues is the CSRF bug (CVSS 8.8), which exists in the web UI running in the management network.
The vulnerability (CVE-2022-20861) is exploitable “by persuading an authenticated administrator of the web-based management interface to click a malicious link”, said Cisco. Should they achieve this, attackers could then “perform actions with Administrator privileges on an affected device”.
Finally, a flaw with a CVSS rating of 8.2 (CVE-2022-20858) exposes the service that manages container images in both the data and management networks.
Arising due to insufficient access controls, the vulnerability can be exploited “by opening a TCP connection to the affected service” and downloading container images or uploading malicious container images to an affected device. “The malicious images would be run after the device has rebooted or a pod has restarted,” added Cisco.
Vulnerable versions of Cisco Nexus Dashboard – formerly known as Cisco Application Services Engine – are 1.1, 2.0, 2.1, and 2.2 (although version 1.1 is not affected by CVE-2022-20858). All three flaws have been addressed in version 2.2(1e).
Cisco was unable to provide workarounds to mitigate risks.
-
Technology2 years ago
VoIP Number: Everything You Need To Know
-
Music3 weeks ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
-
Music2 weeks ago
[INSTRUMENTAL] John Legend – All Of Me
-
Music3 weeks ago
Alan Walker – Faded [INSTRUMENTAL]
-
Music2 weeks ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
-
Music3 weeks ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
-
ANE Stories3 months ago
[STORY] AMAKA THE LESBIAN (Complete Episodes)
-
Music3 weeks ago
[Music] Akon – Sorry Blame It On Me