Cisco Nexus Dashboard Unauthorized Access Vulnerabilities (CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861)

Cisco has released patches for multiple vulnerabilities in Cisco Nexus Dashboard (CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861). The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack.
 
These vulnerabilities were discovered during internal security testing by Michael J Davenport of the Cisco Advanced Security Initiatives Group (ASIG). 

Cisco Nexus Dashboard is a single-pane-of-glass console that streamlines data center network operations and management. The platform helps to configure, operate, and analyze all from one place across the data center and cloud.

Cisco Nexus Dashboard is deployed as a cluster, connecting each service node to two networks: 

  • Data network (fabric0, fabric1) 
  • Management network (mgmt0, mgmt1) 

The scope of these exploits can be limited to the network interfaces that have exposure.  
 
The vulnerabilities are independent of each other. It is not necessary to exploit one vulnerability to exploit another. A software release that is impacted by one of the vulnerabilities might not also be impacted by the other. 
 
CVE-2022-20857: Cisco Nexus Dashboard Arbitrary Command Execution Vulnerability 
An unauthenticated, remote attacker can access a specific API that is running in the data network using this vulnerability in Cisco Nexus Dashboard and running arbitrary instructions on a vulnerable device. 
  
The vulnerability arises due to inadequate access controls for a particular API. By submitting specially crafted HTTP queries to the vulnerable API, an attacker could exploit the vulnerability. On successful exploitation, the attacker will be able to run arbitrary commands as root user in any pod on a node. 
 
CVE-2022-20858: Cisco Nexus Dashboard Container Image Read and Write Vulnerability 
This Cisco Nexus Dashboard vulnerability allows an unauthenticated, remote attacker to access a service that is running in the data and management networks on a vulnerable device. 
  
The vulnerability arises due to insufficient access controls for a service that manages container images. By establishing a TCP connection to the vulnerable service, an attacker could exploit this vulnerability. On successful exploitation, the attacker can download or upload malicious container images to the target device. The malicious images would run after the device has rebooted or a pod has restarted. 
  
CVE-2022-20861: Cisco Nexus Dashboard Cross-Site Request Forgery Vulnerability 
The web UI of Cisco Nexus Dashboard’s management network vulnerability allows an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack on a vulnerable device. 
  
The vulnerability exists because of the insufficient CSRF protections for the web UI on an affected device. The vulnerability can be exploited by an attacker by convincing an authenticated administrator of the web-based administration interface to click a malicious link. On successful exploitation, the attacker can perform actions on the impacted device as Administrator. 
   
Affected versions  
Cisco Nexus Dashboard (Cisco APIC) versions 1.1, 2.0, and 2.1 are affected by these vulnerabilities. 
 
Mitigation  
Customers are advised to refer to the official Cisco Security Advisory (cisco-sa-ndb-mhcvuln-vpsBPJ9y) for more information about patching the vulnerabilities.  
 
Qualys Detection 
Qualys customers can scan their devices with QID 317209 to detect vulnerable assets. 
 
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. 
  
References 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-mhcvuln-vpsBPJ9y

Leave a Reply

Your email address will not be published. Required fields are marked *