Cisco on Wednesday rolled out patches to address three security flaws affecting its products, including a high-severity weakness disclosed in NVIDIA Data Plane Development Kit (MLNX_DPDK) late last month.
Tracked as CVE-2022-28199 (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK's network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality.
"If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition," Cisco said in a notice published on September 7.
DPDK refers to a set of libraries and optimized network interface card (NIC) drivers for fast packet processing, offering a framework and common API for high-speed networking applications.
Cisco said it investigated its product lineup and determined the following services to be affected by the bug, prompting the networking equipment maker to release software updates -
- Cisco Catalyst 8000V Edge Software
- Adaptive Security Virtual Appliance (ASAv), and
- Secure Firewall Threat Defense Virtual (formerly FTDv)
Aside from CVE-2022-28199, Cisco has also resolved a vulnerability in its Cisco SD-WAN vManage Software that could "allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system."
The company blamed the shortcoming – assigned the identifier CVE-2022-20696 (CVSS score: 7.5) – on the absence of "sufficient protection mechanisms" in the messaging server container ports. It credited Orange Business for reporting the vulnerability.
Successful exploitation of the flaw could permit the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload, Cisco said.
A third flaw remediated by Cisco is a vulnerability in the messaging interface of Cisco Webex App (CVE-2022-20863, CVSS score: 4.3), which could enable an unauthenticated, remote attacker to modify links or other content and conduct phishing attacks.
"This vulnerability exists because the affected software does not properly handle character rendering," it said. "An attacker could exploit this vulnerability by sending messages within the application interface."
Cisco credited Rex, Bruce, and Zachery from Binance Red Team for discovering and reporting the vulnerability.
Lastly, it also disclosed details of an authentication bypass bug (CVE-2022-20923, CVSS score: 4.0) affecting Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers, which it said will not be fixed owing to the products reaching end-of-life (EOL).
"Cisco has not released and will not release software updates to address the vulnerability," the company noted, encouraging users to "migrate to Cisco Small Business RV132W, RV160, or RV160W Routers."
