Inadequate access control and CSRF protections spawn critical and high severity issues

Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery (CSRF) attacks.

Discovered via internal testing, the trio of unauthenticated bugs – one critical, two high severity – have been patched in the data center management platform’s latest software update.

Cisco said it was not aware of any in-the-wild malicious abuse of the vulnerability.

Vulnerable API

The most severe issue, notching a critical CVSS score of 9.8, could allow an attacker to access a vulnerable API running in the data network and execute arbitrary commands (CVE-2022-20857).

The vulnerability can be abused by sending crafted HTTP requests to the API, which, thanks to insufficient access controls, means an attacker can “execute arbitrary commands as the root user in any pod on a node”, reads a security advisory published on July 20.

The most severe of two high severity issues is the CSRF bug (CVSS 8.8), which exists in the web UI running in the management network.


Catch up on the latest enterprise security news


The vulnerability (CVE-2022-20861) is exploitable “by persuading an authenticated administrator of the web-based management interface to click a malicious link”, said Cisco. Should they achieve this, attackers could then “perform actions with Administrator privileges on an affected device”.

Finally, a flaw with a CVSS rating of 8.2 (CVE-2022-20858) exposes the service that manages container images in both the data and management networks.

Arising due to insufficient access controls, the vulnerability can be exploited “by opening a TCP connection to the affected service” and downloading container images or uploading malicious container images to an affected device. “The malicious images would be run after the device has rebooted or a pod has restarted,” added Cisco.

Vulnerable versions of Cisco Nexus Dashboard – formerly known as Cisco Application Services Engine – are 1.1, 2.0, 2.1, and 2.2 (although version 1.1 is not affected by CVE-2022-20858). All three flaws have been addressed in version 2.2(1e).

Cisco was unable to provide workarounds to mitigate risks.


YOU MIGHT ALSO LIKE Zyxel firewall vulnerabilities left business networks open to abuse