Cisco Releases Security Patches for?

• Cisco on Wednesday rolled out patches to address three security flaws affecting its products, including a high-severity weakness disclosed in NVIDIA Data Plane Development Kit (MLNX_DPDK) late last month.
• Tracked as CVE-2022–28199 (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK’s network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality.
• Cisco said it investigated its product lineup and determined the following services to be affected by the bug, prompting the networking equipment maker to release software updates -Cisco Catalyst 8000V Edge SoftwareAdaptive Security Virtual Appliance (ASAv), and secure Firewall Threat Defense Virtual (formerly FTDv)Aside from CVE-2022–28199, Cisco has also resolved a vulnerability in its Cisco SD-WAN vManage Software that could “allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system.”
• The company blamed the shortcoming — assigned the identifier CVE-2022–20696 (CVSS score: 7.5) — on the absence of “sufficient protection mechanisms” in the messaging server container ports.
• It credited Orange Business for reporting the vulnerability.
• Successful exploitation of the flaw could permit the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload, Cisco said.
• A third flaw remediated by Cisco is a vulnerability in the messaging interface of Cisco Webex App (CVE-2022–20863, CVSS score: 4.3), which could enable an unauthenticated, remote attacker to modify links or other content and conduct phishing attacks.
• “This vulnerability exists because the affected software does not properly handle character rendering,” it said. “
• An attacker could exploit this vulnerability by sending messages within the application interface.
• Lastly, it also disclosed details of an authentication bypass bug (CVE-2022–20923, CVSS score: 4.0) affecting Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers, which it said will not be fixed owing to the products reaching end-of-life (EOL).”Cisco has not released and will not release software updates to address the vulnerability,” it said, encouraging users to “migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”

To learn more about Vulnerability Assessment, Contact CyberNX

Disclaimer: *Opinions/viewpoints expressed in this blog are entirely personal to the author. Ronnie Rodrigues (CyberNX Technologies Pvt Ltd) has nothing to do with these contents and they are not liable for anything whatsoever*