Cisco stated this week that fixes for four vulnerabilities in its FXOS and NX-OS network operating systems are now available, including one denial-of-service problem that the National Security Agency identified. CVE-2022-20650, a command injection flaw that may be exploited remotely without authentication to execute arbitrary commands as root, is the most severe security weakness. It is assigned a CVSS score of 8.8.
The flaw arises because user-supplied data isn’t properly checked, allowing an attacker to execute instructions on the operating system by sending a forged HTTP POST request to the NX-API function on the vulnerable device. Cisco points out that the NX-API functionality is turned off by default. This vulnerability affects Nexus 3000, 5500, 5600, 6000, and 9000 series switches that run an unpatched NX-OS software version and enables the NX-API capability.
The next three flaws might all be used to generate denial of service (DoS) attacks. The NSA’s vulnerability affects NX-OS’ Fabric Services over IP (CFSoIP) capability. This high-severity flaw, identified as CVE-2022-20624, arises because inbound CFSoIP packets aren’t adequately verified, allowing an attacker to transmit forged packets to exploit it.
If CFSoIP is enabled, the problem affects Nexus 3000 and 9000 series switches, as well as UCS 6400 series fabric interconnects (the feature is disabled by default). The NSA hasn’t revealed any other information regarding the vulnerability. Another DoS flaw in NX-rate OS’s limiter for Bidirectional Forwarding Detection (BFD) traffic has been detected as CVE-2022-20623. It may be exploited remotely, without authentication, to cause BFD traffic to be discarded. Only switches in the Nexus 9000 series running standalone NX-OS are affected.
The issue arises due to a logic fault in the BFD rate limiter feature. It might be exploited by sending a designed stream of traffic via the susceptible device, causing IPv4 and IPv6 traffic to be dropped and resulting in a DoS event. In the Multi-Pod or Multi-Site network configurations for Nexus 9000 series switches in Application Centric Infrastructure (ACI) mode, Cisco also announced the availability of an additional remedy for CVE-2021-1586, a DoS vulnerability it first addressed in August 2021.
The vulnerability arises because TCP traffic delivered to a specific port is not properly sanitized, allowing an attacker to submit forged data. Customers are encouraged to upgrade their devices with the most recent patches, which were provided as part of the February 2022 Semiannual FXOS and NX-OS security releases. According to the business, none of these issues have been used in attacks.