Gaps in Cisco’s FXOS and NX-OS allow takeover of control
In Cisco’s FXOS and NX-OS router and firewall operating systems, attackers could have executed arbitrary code with root privileges. Updates are ready.
With updated operating systems, Cisco has fixed several security gaps in routers, firewalls and other appliances. Attackers could have taken complete control of the devices.
High-risk gaps
The most serious vulnerability affects the Cisco Discover protocol. By sending manipulated packets, attackers from the same broadcast domain could abuse insufficient checks of certain values, Cisco explains in a security advisory. This could result in the execution of foisted malicious code with root privileges or in the affected machines crashing and restarting several times, i.e. a denial of service (CVE-2022-20824, CVSS 8.8risk “high“).
Numerous series with older FXOS and NX-OS versions are affected. In addition, the Cisco Discover protocol must be activated on an interface – according to Cisco, however, this is the case on almost all devices except for Cisco Nexus 9000 fabric switches in ACI mode. The bugs are found in Firepower 4100 Firewalls, Firepower 9300 Security Appliances, MDS 9000 Multilayer Switches, Nexus 1000 Virtual Edge for VMware vSphere, Nexus 1000V Switch for Microsoft Hyper-V, Nexus 1000V Switch for VMware vSphere, Nexus 3000 Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Switches, Nexus 7000 Switches, Nexus 9000 Fabric Switches in ACI Mode, Nexus 9000 Switches in Standalone NX-OS Mode, UCS 6200 Fabric Interconnects, UCS 6300 Fabric Interconnects and UCS 6400 Fabric interconnects.
In the security advisory, Cisco links updated software and provides information for IT managers on how to set it up.
Another vulnerability affects the processing of OSPFv3 packets in Cisco’s NX-OS. Cisco writes in the security bulletin that attackers could paralyze vulnerable devices due to insufficient input verification. Sending a carefully prepared OSPFv3 Link State Advertisement (LSA) is sufficient for this. Although OSPFv3 has to be activated first, Cisco classifies the risk as high (CVE-2022-20823, CVSS 8.6, high).
The developers link updated software for the affected devices in the security advisory: Nexus 3000 Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Switches, Nexus 7000 Switches, Nexus 9000 Fabric Switches in ACI mode and Nexus 9000 Switches in standalone mode NX OS mode.
commands can be injected
Finally, due to insufficient input validation in Cisco’s FXOS command line interface, malicious actors holding the administrator role could execute commands with root privileges (CVE-2022-20865, CVSS 6.7, medium). Cisco Firepower 4100 firewalls and Firepower 9300 security appliances are affected. Administrators can obtain updated software following the guidance in Cisco’s Security Bulletin.
Administrators should plan a maintenance interval for the Cisco devices in the near future to install the updates and thus reduce the attack surface for cybercriminals. Just two weeks ago, it became known that attackers had broken into Cisco networks. However, no sensitive information was leaked.