On Wednesday, Cisco released patches to address the issues three security flaws affecting its products, including a high-severity vulnerability disclosed in the NVIDIA Data Plane development kit (MLNX_DPDK) late last month.
Tracked as CVE-2022-28199 (CVSS Score: 8.6), the vulnerability occurs due to the lack of proper error handling in the DPDK network stack, which allows a remote adversary to cause a Denial of Service (DoS) condition and affect data integrity and privacy.
“If a device interface experiences an error, the device may either reboot or fail to receive traffic, resulting in a Denial of Service (DoS) state,” Cisco said in a message published on September 7.
DPDK refers to a set of libraries and optimized network card (NIC) drivers for fast packet processing, offering a framework and common API for high-speed network applications.
Cisco said it had examined its product range and identified the following services that could be affected by the bug, prompting the networking equipment maker to release software updates –
- Cisco Catalyst 8000V Edge Software
- Adaptive Security Virtual Appliance (ASAv) and
- Secure Firewall Virtual Threat Defense (formerly FTDv)
In addition to CVE-2022-28199, Cisco also addressed a vulnerability in the Cisco SD-WAN vManage software that could “allow an unauthenticated adjacency attacker with access to the VPN0 logical network to also access messaging service ports on the compromised system.”
The company called the flaw – assigned an identifier CVE-2022-20696 (CVSS Score: 7.5) – About the lack of “adequate security mechanisms” in the messaging server’s container ports. He credited Orange Business for reporting the vulnerability.
Successful exploitation of the flaw could allow an attacker to view and enter messages into the messaging service, which could cause configuration changes or system reboots, Cisco said.
The third flaw addressed by Cisco is a vulnerability in the Cisco Webex messaging interface (CVE-2022-20863CVSS score: 4.3), which could allow an unauthenticated remote attacker to modify links or other content and conduct phishing attacks.
“This vulnerability exists because the affected software does not properly handle character mapping,” it said. “An attacker could exploit this vulnerability by sending messages in the application interface.”
Cisco acknowledged Rex, Bruce, and Zachery of the Binance Red Team for discovering and reporting the vulnerability.
Finally, he also disclosed the details of the authentication bypass error (CVE-2022-20923CVSS score: 4.0) affecting the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, which it says will not be fixed because the products are end-of-life (EOL).
“Cisco has not and will not release software updates to address the vulnerability,” it said, urging users to “switch to Cisco Small Business RV132W, RV160, or RV160W routers.”