Multiple Cisco CVEs Released

On July 20, 2022, Cisco released a number of CVEs ranging of various seventies. Let’s take a closer look at them and the impact they may have to your environment. Many of them have to do with the Cisco Nexus Dashboard.

July 20, 2022 Critical Cisco CVEs

There were a number of CVEs released related to the Cisco Nexus Dashboard which are critical

Cisco Nexus Dashboard Unauthorized Access Vulnerabilities

• CVE-2022-20857
• CVE-2022-20858
• CVE-2022-20861

This vulnerability could allow unauthenticated remote attackers to execute commands, upload image files, or perform a cross site request forgery attack.

There are no workarounds to these vulnerabilities.

Remediation: Update to a fixed software release. 2.2(1e) is the first fixed release for the most recent code line.

July 20, 2022 High Cisco CVEs

There is one high priority CVE related to a SSL vulnerability in the Cisco Nexus Dashboard.

Cisco Nexus Dashboard SSL Certificate Validation Vulnerability

• CVE-2022-20860

Once again, this vulnerability relates to unauthenticated access, and there are no workarounds. You must upgrade to a fixed software release.

July 20, 2022 Medium Cisco CVEs – Cisco Nexus Dashboard

There are a number of CVEs related to the Cisco Nexus dashboard in the medium category as well.

Cisco Nexus Dashboard Privilege Escalation Vulnerabilities

• CVE-2022-20906
• CVE-2022-20907
• CVE-2022-20908
• CVE-2022-20909

We are seeing a trend in this batch of CVEs, they are also related to unauthenticated users be able to perform action, in the case a local attacker could elevate privileges.

There are no workarounds for this vulnerability.

Remediation: Update to a fixed software release 2.2(1e)

Cisco Nexus Dashboard Arbitrary File Write Vulnerability

• CVE-2022-20913

An authenticated user can write files on the impacted device.

There is no workaround.

Remediation: Update to a fixed software release 2.2(1e)

July 20, 2022 Medium Cisco CVEs – Cisco Small Business Routers

There is a medium priority CVE related to Cisco Small Business Routers

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities

• CVE-2022-20873
• CVE-2022-20874
• CVE-2022-20875
• CVE-2022-20876
• CVE-2022-20877
• CVE-2022-20878
• CVE-2022-20879
• CVE-2022-20880
• CVE-2022-20881
• CVE-2022-20882
• CVE-2022-20883
• CVE-2022-20884
• CVE-2022-20885
• CVE-2022-20886
• CVE-2022-20887
• CVE-2022-20888
• CVE-2022-20889
• CVE-2022-20890
• CVE-2022-20891
• CVE-2022-20892
• CVE-2022-20893
• CVE-2022-20894
• CVE-2022-20895
• CVE-2022-20896
• CVE-2022-20897
• CVE-2022-20898
• CVE-2022-20899
• CVE-2022-20900
• CVE-2022-20901
• CVE-2022-20902
• CVE-2022-20903
• CVE-2022-20904
• CVE-2022-20910
• CVE-2022-20911
• CVE-2022-20912

The main issue here is that there are vulnerabilities in the web management interface for these Cisco Small Business Routers, that could allow unauthenticated users to execute code on the devices.

There is no workaround to this vulnerability.

Remediation: There is no remediation, because Cisco has not released software updates for these products since they are end-of-life.

Cisco suggests migrating to supported routers.

July 20, 2022 Medium Cisco CVEs – Cisco IOT Control Center

There is one medium severity CVE. Can you guess what it relates to?

Cisco IoT Control Center Cross-Site Scripting Vulnerability

• CVE-2022-20916

That’s right, this is also related to an unauthenticated user to conduct a cross-site scripting attack, and there are no workarounds.

Remediation: The good news here is that since this software is cloud based, Cisco has already fixed the issue.

About Cisco Fixed Releases

Cisco uses the term “Fixed Releases” to address software that fixes vulnerabilities, and in most cases suggests the guidance to move to a fixed release. Cisco ensures that the software is available after vulnerability disclosure whenever possible.

If you are using any of these Cisco products be sure to take a look at upgrading to the latest fix release to mitigate the risks.