Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 26/08/2022 – Cisco provides patches for high-rated vulnerabilities within their business switch product line
Black Arrow Cyber Advisory 26/08/2022 – Cisco provides patches for high-rated vulnerabilities within their business switch product line
Executive Summary
Cisco has supplied patches which address two high severity vulnerabilities within the Cisco NX-OS software, which runs on their Nexus line of switches. One vulnerability could allow an unauthenticated attacker to remotely cause denial of service to the device. A second vulnerability which also affects the Cisco FXOS, could cause an unauthenticated attacker to laterally execute code on the device, or cause denial of service to the device. Cisco also released a patch for a third high severity vulnerability within the Multi-Site Orchestrator product which could allow a remote, authenticated attacker to escalate privileges to administrator levels on affected devices.
What’s the risk to me or my business?
The first high vulnerability relates to the OSPFv3 feature, which is a routing protocol used in IPv6. As affected devices may be situated on the network perimeter and can be executed remotely, a denial of service could lead to downtime affecting availability of key network infrastructure across an organisation. It should be noted that this feature is disabled by default. The second high vulnerability could allow an attacker who already has access to the organisations network, to further compromise critical network infrastructure, resulting in a potential loss of confidentiality, integrity, and availability. The third high vulnerability relating to the Multi-Site Orchestrator, which is used to interconnect and manage multiple locations under a single network, could allow an attacker who already has access to a non-privileged account, to escalate their privileges on affected devices, resulting in a potential loss of confidentiality, integrity and availability within the network.
What can I do?
Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisations vulnerability management process to limit availability impact to the business. Regarding the OSPFv3 vulnerability, if that feature is not in use as it is disabled by default, then this vulnerability cannot be exploited.
Technical Summary
The following is a breakdown of the vulnerabilities with the affected Cisco products.
CVE-2022-20823: A remote denial of service vulnerability relating to the OSPFv3 feature of NX-OS, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to exploit incomplete input validation by sending a malicious OSPFv3 link-state advertisement (LSA) to an affected device, causing it to crash and restart multiple times which would cause the device to reload, resulting in a DoS condition. Affected devices:
· Nexus 3000 Series Switches
· Nexus 5500 Platform Switches
· Nexus 5600 Platform Switches
· Nexus 6000 Series Switches
· Nexus 7000 Series Switches
· Nexus 9000 Series Fabric Switches in ACI mode
· Nexus 9000 Series Switches in standalone NX-OS mode
Further information on this specific vulnerability can be found here: Cisco NX-OS Software OSPFv3 Denial of Service Vulnerability
CVE-2022-20824: A remote arbitrary code execution vulnerability with a CVSS 3.0 rating of 8.8, which allows a malicious attacker who is on the same Layer 2 broadcast domain as the affected device (Layer 2 adjacent) to exploit an input validation vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in a DoS Condition. Affected devices:
· Firepower 4100 Series
· Firepower 9300 Security Appliances
· MDS 9000 Series Multilayer Switches
· Nexus 1000 Virtual Edge for VMware vSphere
· Nexus 1000V Switch for Microsoft Hyper-V
· Nexus 1000V Switch for VMware vSphere
· Nexus 3000 Series Switches
· Nexus 5500 Platform Switches
· Nexus 5600 Platform Switches
· Nexus 6000 Series Switches
· Nexus 7000 Series Switches
· Nexus 9000 Series Fabric Switches in ACI mode
· Nexus 9000 Series Switches in standalone NX-OS mode
· UCS 6200 Series Fabric Interconnects
· UCS 6300 Series Fabric Interconnects
· UCS 6400 Series Fabric Interconnects
Further information on this specific vulnerability can be found here: Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability
CVE-2022-20921: A privilege escalation vulnerability with a CVSS 3.0 rating of 8.8, which allows an authenticated malicious attacker to exploit a vulnerability within the API implementation of Cisco ACI Multi-Site Orchestrator via a crafted HTTP request to elevate to administrator privileges on the affected product. It should be noted that after release 3.4, Cisco ACI MSO was renamed Cisco Nexus Dashboard Orchestrator (NDO), and Cisco NDO is not affected by this vulnerability.
Further information on this specific vulnerability can be found here: Cisco ACI Multi-Site Orchestrator Privilege Escalation Vulnerability
Need help understanding your gaps, or just want some advice? Get in touch with us.