Black Arrow Cyber Advisory 09/09/2022 – Cisco provides patches to address vulnerabilities across product range
Executive Summary
Cisco has released patches to address two high-severity and one medium severity security flaws within their product range. One vulnerability, which affects Cisco Catalyst 8000V software can allow a remote malicious actor to trigger a denial of service condition. The other high vulnerability could allow for an unauthenticated attacker who has access to a VPN network to change configuration settings, or cause the system to reload. Cisco also disclosed knowledge of an IPSec VPN Server Authentication Bypass vulnerability which could allow a malicious attacker to bypass authentication onto the VPN escalate to administrator privileges on an affected device. As affected devices are now out of support, with an end-of-life notice issued, Cisco will not be providing a patch for these devices.
What’s the risk to me or my business?
The first high vulnerability relates the Cisco cloud virtual routing software, 8000V Edge and Nvidia MLX5 network cards. The vulnerability itself was disclosed by Nvidia, and affects underlying software which is utilised by Cisco, and can be used by a malicious attacker to cause an error condition on the device, which would then cause denial of service. If hybrid business systems are being routed using this product, then there is a possibility of down-time until the issue is patched.
The second vulnerability relates to the CSD-WAN vManage software containers, that could allow an attacker who already has access to the organisations VPN0 network to further compromise critical network infrastructure resulting in a potential loss of confidentiality, integrity, and availability.
The third medium severity vulnerability relates to the Cisco Webex Meetings app, which could allow an unauthenticated remote attacker to change the content of links and messages within the application interface, which could lead to a phishing or spoofing attack.
Vulnerability that won’t be fixed in End of Life Devices
Separate to this, Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).
This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.
As this vulnerability could allow an unauthenticated malicious attacker to bypass authentication and gain access to the IPSec VPN network and can gain administrative access, compromising the confidentiality, integrity and availability of the network, any unsupported devices should be replaced.
What can I do?
Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisation’s vulnerability management process to limit availability impact to the business. It is also critical to ensure that all devices in use by an organisation are currently being supported by the vendor, as otherwise like in this case, critical security vulnerabilities could be disclosed without any option but to purchase new equipment. The affected equipment stopped receiving software support from Cisco in December 2020.
Technical Summary
The following is a breakdown of the vulnerabilities with the affected Cisco products.
CVE-2022-28199: A remote denial of service vulnerability relating to the DPDK Nvidia Library feature, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to cause an error condition on the device, resulting in the device reloading or failing to receive traffic, resulting in a DoS condition. Affected Software:
· Cisco Catalyst 8000V Edge Software
· Adaptive Security Virtual Appliance (ASAv)
· Secure Firewall Threat Defense Virtual (formerly FTDv)
Further information on this specific vulnerability can be found here: Vulnerability in NVIDIA Data Plane Development Kit Affecting Cisco Products: August 2022
CVE-2022-20696: A remote vulnerability with a CVSS 3.0 rating of 7.5, which allows a malicious attacker who has the ability to send network traffic to interfaces within the VPN0 logical network to exploit the lack of sufficient protection mechanisms on the messaging server container ports, allowing the attacker to view and inject messages into the messaging service, which could allow for configuration changes or cause the system to reload. Affected software:
· Cisco SD-WAN vManage Software
Further information on this specific vulnerability can be found here: Cisco SD-WAN vManage Software Unauthenticated Access to Messaging Services Vulnerability
CVE-2022-20863: A vulnerability with a CVSS 3.0 rating of 4.3, which allows an unauthenticated malicious attacker to exploit a vulnerability within the character rendering of the Cisco Webex Meetings interface to modify the display of links or other content within the interface, allowing an attacker to potentially conduct phishing or spoofing attackers.
Further information on this specific vulnerability can be found here: Cisco Webex Meetings App Character Interface Manipulation Vulnerability
CVE-2022-20923: A vulnerability with a CVSS 3.0 rating of 4.0, which allows an unauthenticated, remote attacker to exploit a vulnerability within the password validation algorithm to bypass authentication controls and gain access to the IPSec VPN Network. The attacker may even be able to obtain privileges at administrator level depending on the credentials used. No patch will be released for this vulnerability. Affected products:
· RV110W Wireless-N VPN Firewall
· RV130 VPN Router
· RV130W Wireless-N Multifunction VPN Router
· RV215W Wireless-N VPN Router
Further information on this specific vulnerability can be found here: Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability
Need help understanding your gaps, or just want some advice? Get in touch with us.