Cisco Fixes Bug that lets Attackers Execute Commands as Root
Cisco has addressed severe vulnerabilities in the Cisco Nexus Dashboard data center management solution that can let remote attackers execute commands and perform actions with root or Administrator privileges.
The first security flaw (rated critical severity and tracked as CVE-2022-20857) enables unauthenticated threat actors to access an API by sending crafted HTTP requests to execute arbitrary commands remotely with root privileges “in any pod on a node.”
A second bug (a high severity vulnerability in the web UI tracked as CVE-2022-20861) allows remote attackers to conduct a cross-site request forgery attack by persuading authenticated admins to click a malicious link.
“A successful exploit could allow the attacker to perform actions with Administratorprivileges on an affected device,” Cisco explains.
Another high severity security bug (CVE-2022-20858) patched today can let unauthenticated, remote attackers download container images or upload malicious ones to affected devices by opening a TCP connection to the container image management service.
Luckily, as Cisco explains in a security advisory published today, “the malicious images would be run after the device has rebooted or a pod has restarted.”
The vulnerabilities affect Cisco Nexus Dashboard 1.1 and later. Cisco has addressed the flaws in the 2.2(1e) security update published today and advises customers to migrate to a fixed release as soon as possible.
|Cisco Nexus Dashboard Release||First Fixed Release|
|1.1 (not affected by CVE-2022-20858)||Migrate to a fixed release.|
|2.0||Migrate to a fixed release.|
|2.1||Migrate to a fixed release.|
No in-the-wild exploitation
These security vulnerabilities were found by security researchers with Cisco’s Advanced Security Initiatives Group (ASIG) during internal security testing.
Cisco’s Product Security Incident Response Team (PSIRT) said that the company is unaware of publicly available exploits or active exploitation in the wild.
Also Read: April 2022 PDPC Incidents and Undertaking
Today, Cisco has also patched a fourth vulnerability (CVE-2022-20860) in the SSL/TLS implementation of the Cisco Nexus Dashboard that could let unauthenticated, remote threat actors alter communications by intercepting traffic in man-in-the-middle attacks.
Successful exploitation could also allow attackers to view sensitive information, including Administrator credentials for affected controllers.
“This vulnerability exists because SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers,” the company added in a separate advisory.