Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products

Cyber Security

Products You May Like

Cisco on Wednesday rolled out patches to address three security flaws affecting its products, including a high-severity weakness disclosed in NVIDIA Data Plane Development Kit (MLNX_DPDK) late last month.

Tracked as CVE-2022-28199 (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK’s network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality.

“If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition,” Cisco said in a notice published on September 7.

CyberSecurity

DPDK refers to a set of libraries and optimized network interface card (NIC) drivers for fast packet processing, offering a framework and common API for high-speed networking applications.

Cisco said it investigated its product lineup and determined the following services to be affected by the bug, prompting the networking equipment maker to release software updates –

  • Cisco Catalyst 8000V Edge Software
  • Adaptive Security Virtual Appliance (ASAv), and
  • Secure Firewall Threat Defense Virtual (formerly FTDv)

Aside from CVE-2022-28199, Cisco has also resolved a vulnerability in its Cisco SD-WAN vManage Software that could “allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system.”

The company blamed the shortcoming – assigned the identifier CVE-2022-20696 (CVSS score: 7.5) – on the absence of “sufficient protection mechanisms” in the messaging server container ports. It credited Orange Business for reporting the vulnerability.

Successful exploitation of the flaw could permit the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload, Cisco said.

CyberSecurity

A third flaw remediated by Cisco is a vulnerability in the messaging interface of Cisco Webex App (CVE-2022-20863, CVSS score: 4.3), which could enable an unauthenticated, remote attacker to modify links or other content and conduct phishing attacks.

“This vulnerability exists because the affected software does not properly handle character rendering,” it said. “An attacker could exploit this vulnerability by sending messages within the application interface.”

Cisco credited Rex, Bruce, and Zachery from Binance Red Team for discovering and reporting the vulnerability.

Lastly, it also disclosed details of an authentication bypass bug (CVE-2022-20923, CVSS score: 4.0) affecting Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers, which it said will not be fixed owing to the products reaching end-of-life (EOL).

“Cisco has not released and will not release software updates to address the vulnerability,” it said, encouraging users to “migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”

Products You May Like

Articles You May Like

Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns
Apple and Google wallets want to help make the hotel room key card obsolete
iPhone 16 Pro Max Leaked Dummy Unit Offers Glimpse at New Desert Titanium Colourway
French Authorities Charge Telegram CEO Pavel Durov in Probe Into Organised Crime on App
Redmi 14C With 6.88-Inch LCD Screen, MediaTek Helio G81 Chipset Launched: Price, Specifications

Leave a Reply

Your email address will not be published. Required fields are marked *