Cisco stated this week that patches for four vulnerabilities in its FXOS and NX-OS network operating systems are now available, including one denial-of-service problem that was identified by the National Security Agency.
CVE-2022-20650, a command injection flaw that may be exploited remotely without authentication to execute arbitrary commands as root, is the most serious of the security weaknesses, with a CVSS score of 8.8.
The flaw arises because user-supplied data isn’t properly checked, allowing an attacker to execute instructions on the operating system by sending a forged HTTP POST request to the NX-API function on the affected device. Cisco points out that the NX-API feature is turned off by default.
This vulnerability affects Nexus 3000, 5500, 5600, 6000, and 9000 series switches that run an unpatched NX-OS software release and have the NX-API capability enabled.
The remaining three vulnerabilities might all be used to generate denial of service (DoS) attacks.
The NSA’s vulnerability affects NX-OS’ Fabric Services over IP (CFSoIP) capability. This high-severity flaw, identified as CVE-2022-20624, exists because incoming CFSoIP packets aren’t adequately verified, allowing an attacker to send forged packets to exploit it.
If CFSoIP is enabled, the issue affects Nexus 3000 and 9000 series switches, as well as UCS 6400 series fabric interconnects (the feature is disabled by default). The NSA hasn’t revealed any other information regarding the vulnerability.
Another DoS flaw in NX-rate OS’s limiter for Bidirectional Forwarding Detection (BFD) traffic has been detected as CVE-2022-20623, and it can be exploited remotely, without authentication, to cause BFD traffic to be dropped. Only switches in the Nexus 9000 series running standalone NX-OS are affected.
The issue arises due to a logic fault in the BFD rate limiter functionality, and it might be exploited by sending a designed stream of traffic via the susceptible device, causing IPv4 and IPv6 traffic to be dropped and resulting in a DoS event.
In the Multi-Pod or Multi-Site network configurations for Nexus 9000 series switches in Application Centric Infrastructure (ACI) mode, Cisco also announced the availability of an additional fix for CVE-2021-1586, a DoS vulnerability it first addressed in August 2021.
The vulnerability exists because TCP traffic delivered to a specific port is not properly sanitised, allowing an attacker to submit forged data.
Cisco advises users to update their equipment with the most recent changes, which were provided as part of the Semiannual FXOS and NX-OS security releases in February 2022. According to the business, none of these issues have been used in attacks.