- 196/2022
- High
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
The released updates to fix multiple vulnerabilities affecting Cisco FXOS Software, Cisco NX-OS Software and Cisco ACI Multi-Site Orchestrator (MSO). The addressed vulnerabilities could allow the attackers to perform several attacks such as denial of service, privilege escalation and remote code execution.
Samples of the addressed vulnerabilities:
- Cisco ACI Multi-Site Orchestrator (MSO) Privilege Escalation Vulnerability
(CVE-2022-20921):
The remote attacker could elevate to Administrator privileges by sending specially crafted HTTP requests to the affected device, due to improper authorization on specific APIs.- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
- Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability (CVE-2022-20824):
The addressed vulnerability could allow the unauthenticated, adjacent attacker to execute arbitrary code with root privileges or cause a denial of service (DoS) by sending a malicious Cisco Discovery Protocol packet to the affected device.
- CVSS: 8.8
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
- CVE-2022-20823
- CVE-2022-20824
- CVE-2022-20921
- CVE-2022-20865
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
https://tools.cisco.com/security/center/publicationListing.x