On July 20, 2022, Cisco released a number of CVEs ranging of various seventies. Let’s take a closer look at them and the impact they may have to your environment. Many of them have to do with the Cisco Nexus Dashboard.
July 20, 2022 Critical Cisco CVEs
There were a number of CVEs released related to the Cisco Nexus Dashboard which are critical
Cisco Nexus Dashboard Unauthorized Access Vulnerabilities
- CVE-2022-20857
- CVE-2022-20858
- CVE-2022-20861
This vulnerability could allow unauthenticated remote attackers to execute commands, upload image files, or perform a cross site request forgery attack.
There are no workarounds to these vulnerabilities.
Remediation: Update to a fixed software release. 2.2(1e) is the first fixed release for the most recent code line.
July 20, 2022 High Cisco CVEs
There is one high priority CVE related to a SSL vulnerability in the Cisco Nexus Dashboard.
Cisco Nexus Dashboard SSL Certificate Validation Vulnerability
- CVE-2022-20860
Once again, this vulnerability relates to unauthenticated access, and there are no workarounds. You must upgrade to a fixed software release.
July 20, 2022 Medium Cisco CVEs – Cisco Nexus Dashboard
There are a number of CVEs related to the Cisco Nexus dashboard in the medium category as well.
Cisco Nexus Dashboard Privilege Escalation Vulnerabilities
- CVE-2022-20906
- CVE-2022-20907
- CVE-2022-20908
- CVE-2022-20909
We are seeing a trend in this batch of CVEs, they are also related to unauthenticated users be able to perform action, in the case a local attacker could elevate privileges.
There are no workarounds for this vulnerability.
Remediation: Update to a fixed software release 2.2(1e)
Cisco Nexus Dashboard Arbitrary File Write Vulnerability
- CVE-2022-20913
An authenticated user can write files on the impacted device.
There is no workaround.
Remediation: Update to a fixed software release 2.2(1e)
July 20, 2022 Medium Cisco CVEs – Cisco Small Business Routers
There is a medium priority CVE related to Cisco Small Business Routers
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities
- CVE-2022-20873
- CVE-2022-20874
- CVE-2022-20875
- CVE-2022-20876
- CVE-2022-20877
- CVE-2022-20878
- CVE-2022-20879
- CVE-2022-20880
- CVE-2022-20881
- CVE-2022-20882
- CVE-2022-20883
- CVE-2022-20884
- CVE-2022-20885
- CVE-2022-20886
- CVE-2022-20887
- CVE-2022-20888
- CVE-2022-20889
- CVE-2022-20890
- CVE-2022-20891
- CVE-2022-20892
- CVE-2022-20893
- CVE-2022-20894
- CVE-2022-20895
- CVE-2022-20896
- CVE-2022-20897
- CVE-2022-20898
- CVE-2022-20899
- CVE-2022-20900
- CVE-2022-20901
- CVE-2022-20902
- CVE-2022-20903
- CVE-2022-20904
- CVE-2022-20910
- CVE-2022-20911
- CVE-2022-20912
The main issue here is that there are vulnerabilities in the web management interface for these Cisco Small Business Routers, that could allow unauthenticated users to execute code on the devices.
There is no workaround to this vulnerability.
Remediation: There is no remediation, because Cisco has not released software updates for these products since they are end-of-life.
Cisco suggests migrating to supported routers.
July 20, 2022 Medium Cisco CVEs – Cisco IOT Control Center
There is one medium severity CVE. Can you guess what it relates to?
Cisco IoT Control Center Cross-Site Scripting Vulnerability
- CVE-2022-20916
That’s right, this is also related to an unauthenticated user to conduct a cross-site scripting attack, and there are no workarounds.
Remediation: The good news here is that since this software is cloud based, Cisco has already fixed the issue.
About Cisco Fixed Releases
Cisco uses the term “Fixed Releases” to address software that fixes vulnerabilities, and in most cases suggests the guidance to move to a fixed release. Cisco ensures that the software is available after vulnerability disclosure whenever possible.
If you are using any of these Cisco products be sure to take a look at upgrading to the latest fix release to mitigate the risks.
Melissa is an Independent Technology Analyst & Content Creator, focused on IT infrastructure and information security. She is a VMware Certified Design Expert (VCDX-236) and has spent her career focused on the full IT infrastructure stack.