Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers

Cisco on Wednesday launched security patches for 45 vulnerabilities affecting a variety of solutions, some of which could be exploited to execute arbitrary steps with elevated permissions on afflicted devices.

Of the 45 bugs, a person security vulnerability is rated Critical, a few are rated Large, and 41 are rated Medium in severity.

The most serious of the issues are CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861, which effects Cisco Nexus Dashboard for knowledge centers and cloud network infrastructures and could permit an “unauthenticated remote attacker to execute arbitrary commands, examine or upload container graphic files, or accomplish a cross-website request forgery attack.”

• CVE-2022-20857 (CVSS score: 9.8) – Cisco Nexus Dashboard arbitrary command execution vulnerability
• CVE-2022-20858 (CVSS score: 8.2) – Cisco Nexus Dashboard container impression go through and create vulnerability
• CVE-2022-20861 (CVSS rating: 8.8) – Cisco Nexus Dashboard cross-website request forgery (CSRF) vulnerability

All the 3 vulnerabilities, which have been discovered throughout inside security screening, have an effect on Cisco Nexus Dashboard 1.1 and later on, with fixes accessible in version 2.2(1e).

Another large-severity flaw relates to a vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard (CVE-2022-20860, CVSS score: 7.4) that could allow an unauthenticated, distant attacker to alter communications with linked controllers or watch sensitive details.

“An attacker could exploit this vulnerability by using male-in-the-middle techniques to intercept the site visitors amongst the influenced product and the controllers, and then using a crafted certification to impersonate the controllers,” the enterprise mentioned in an advisory.

“A thriving exploit could permit the attacker to change communications amongst devices or check out delicate information and facts, together with Administrator credentials for these controllers.”

Another set of 5 shortcomings in the Cisco Nexus Dashboard merchandise problems a blend of four privilege escalation flaws and an arbitrary file generate vulnerability that could permit an authenticated attacker to achieve root permissions and generate arbitrary information to the gadgets.

Elsewhere fixed by Cisco are 35 vulnerabilities in its Small Small business RV110W, RV130, RV130W, and RV215W routers that could equip an adversary currently in possession of legitimate Administrator credentials with capabilities to run arbitrary code or bring about a denial-of-support (DoS) ailment by sending a specifically crafted request to the web-based mostly management interface.

Rounding off the patches is a resolve for a cross-web page scripting (XSS) vulnerability in the web-based administration interface of Cisco IoT Handle Centre that, if effectively weaponized, could empower an unauthenticated, remote attacker to stage an XSS attack versus a person.

“An attacker could exploit this vulnerability by persuading a person of the interface to click a crafted connection,” Cisco stated. “A productive exploit could make it possible for the attacker to execute arbitrary script code in the context of the influenced interface or obtain sensitive, browser-centered details.”

Even though none of the aforementioned vulnerabilities are claimed to be maliciously put to use in authentic-globe attacks, it truly is imperative that people of the impacted appliances shift swiftly to utilize the patches.

The updates also arrived considerably less than two months immediately after Cisco rolled out patches for 10 security flaws, like an arbitrary critical file overwrite vulnerability in Cisco Expressway Series and Cisco TelePresence Video clip Communication Server (CVE-2022-20812) that could lead to absolute path traversal attacks.

Identified this post exciting? Stick to THN on Fb, Twitter  and LinkedIn to examine additional exclusive content material we write-up.

Some sections of this write-up are sourced from:
thehackernews.com