Cisco has addressed quite a few vulnerabilities in its Nexus Dashboard. Exploiting these vulnerabilities might enable attackers to conduct CSRF assaults or execute arbitrary code.
Cisco Nexus Dashboard Vulnerabilities
Elaborating on the safety points in a current advisory, Cisco has confirmed patching three completely different vulnerabilities within the Nexus Dashboard.
Cisco’s Nexus Dashboard is a devoted cloud community dashboard enabling customers to watch and handle the whole information middle infrastructure operations. Sadly, these essential functionalities additionally imply that any safety flaws affecting this software would immediately threat the safety of the related community.
Describing the influence of those vulnerabilities, the advisory reads,
Cisco Nexus Dashboard is deployed as a cluster, connecting every service node to 2 networks:
-Information community (fabric0, fabric1)
-Administration community (mgmt0, mgmt1)
The scope of those exploits might be restricted to the community interfaces which have publicity.
Particularly, Cisco has addressed the next three vulnerabilities within the software.
- CVE-2022-20857 (essential severity; CVSS 9.8): inadequate entry controls in a selected API allowed an unauthenticated, distant adversary to execute arbitrary codes on the goal system. Exploiting the flaw merely required the attacker to ship maliciously crafted HTTP requests to the API.
- CVE-2022-20861 (high-severity; CVSS 8.8.): poor CSRF protections within the Nexus Dashboard internet UI allowed an unauthenticated, distant attacker to conduct cross-site request forgery (CSRF) assaults. An adversary might persuade the goal authenticated person to click on on a maliciously crafted hyperlink to set off the bug. As soon as achieved, the flaw would supply the attacker admin entry to the system, empowering the attacker to carry out any meant actions.
- CVE-2022-20858 (high-severity; CVSS 8.2): the service managing container photographs has poor entry controls. Therefore, an unauthenticated, distant adversary might set off the flaw by opening a TCP connection to the susceptible gadget. As soon as achieved, the adversary might then add malicious container photographs or obtain the prevailing container photographs.
Patches Deployed
Cisco has addressed all three vulnerabilities with the Nexus Dashboard releases 1.1, 2.0, 2.1, and a couple of.2. Moreover, the distributors confirmed no viable workarounds for the failings, urging customers to replace their techniques on the earliest to remain protected.