Cisco released patches this week to address three significant security flaws affecting various products—including a high-severity flaw in the NVIDIA Data Plane Development Kit (MLNX_DPDK).
The high-severity vulnerability is tracked on the Common Vulnerabilities and Exposures (CVE) database as CVE-2022-28199 with a Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10. The flaw exists due to a lack of proper error handling in the DPDK network stack; this enables a remote adversary to create a denial-of-service (DoS) condition, as well as causing an impact on data integrity and confidentiality.
Cisco explained, "If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition."
To understand DPDK, it refers to optimized network interface card (NIC) drivers and a set of libraries that allow for fast packet processing, which offers a comprehensive framework as well as a common application programming interface (API) designed for high-speed networking applications.
According to Cisco, the company has evaluated its product lineup and determined that the flaw applies to the following services:
· Adaptive Security Virtual Appliance (ASAv), and
· Cisco Catalyst 8000V Edge Software
· Secure Firewall Threat Defense Virtual (formerly FTDv)
One of the other patches released was to address a vulnerability in Cisco’s SD-WAN vManage Software that might "allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system."
Assigned identifier CVE-2022-20696 (with a CVSS score of 7.5), Cisco stated that the
flaw came about due to a lack of sufficient protection mechanisms in the messaging server container ports.
Successful exploitation of this flaw could enable attackers to read and insert messages into the messaging service; insertion of messages could be used to cause the system to reload or cause configuration changes—both of which are inherently risk-impacting actions.
The third vulnerability addressed by the most recent patches affects the messaging interface of Cisco Webex App, and is tracked as CVE-2022-20863 with a CVSS score of 4.3. This flaw can allow an unauthenticated, remote attacker to modify links—or additional content—and thereby conduct phishing attacks.
"This vulnerability exists because the affected software does not properly handle character rendering," Cisco stated in its notification of the patches. Cisco went on to explain, "An attacker could exploit this vulnerability by sending messages within the application interface."
The final issue addressed in Cisco’s announcement will actually not be patched. It is an authentication bypass bug, tracked via CVE-2022-20923 with a CVSS score of 4.0. This lower-risk vulnerability affects Cisco Small Business RV110W, RV215W, RV130, and RV130W routers. Cisco explained that no patch will be released because the product will soon reach the end of its support lifespan. Instead of patching, the remediation Cisco recommends is for users to "migrate to Cisco Small Business RV132W, RV160, or RV160W Routers."
Like many major technology companies, Cisco has seen an increase in the number of vulnerabilities it has had to patch across its products, whether due to an increase in scrutiny by bug hunters and bad actors, improvements in its own flaw detection capabilities, a decrease in the quality of software developed in recent years, or a combination of these and other factors. For users, it is apparent that rapid patching is becoming an ever-greater necessity and this is difficult to accomplish without a robust security program in place.
Many organizations are recognizing that one of the most cost-effective methods for building and maintaining a quality security program when the world has a lack of experienced security leaders is to engage with Fractional Information Security Officer (FISO) service providers like Webcheck Security. Contact us today to set up a free discussion of how Webcheck can help your organization accomplish its objectives and reduce its risks.