If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for seven flaws, two of which are not great.
First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your kit or somehow mitigate the risk.
Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you’re still using an end-of-life, buggy router. We note that miscreants aren’t actively exploiting either of these vulnerabilities — yet.
The first security flaw, tracked as CVE-2022-20798, is an authentication bypass vulnerability in the virtual and hardware versions of Cisco Secure Email and Web Manager, and the Cisco Email Security Appliance. It occurs when the device uses Lightweight Directory Access Protocol (LDAP) for external authentication, and the good news is that Cisco disables external authentication by default.
A remote user could exploit the flaw “by entering a specific input on the login page of the affected device,” the networking titan warned in a security advisory this week. Once the intruder has gained unauthorized access, they could perform any number of illicit actions from the web-based interface including crashing the device.
Another high-severity flaw, CVE-2022-20664, in these same virtual and hardware appliances could allow a remote, authenticated user to steal credentials from a LDAP external authentication server connected to a device. However, exploiting this bug would require valid operator-level, or higher, credentials. It received a CVSS score of 7.7, and Cisco issued a software update to fix this bug, too.
The second critical vulnerability exists in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, which the vendor stopped selling [PDF] in 2019. Cisco isn’t issuing a fix for this one, and said there’s no workaround. Instead, customers should upgrade to newer hardware.
The flaw, tracked as CVE-2022-20825, also received a 9.8 CVSS score, and it’s due to insufficient user input validation of incoming HTTP packets.
“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” according to Cisco’s security alert. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges,” and also stop and restart the device, resulting in a denial of service.
In addition to the two critical and one high-severity vulnerabilities, Cisco disclosed an additional four medium-severity flaws on Wednesday.
All of these follow a slew of vulnerabilities announced — and sometimes fixed — by Cisco and other software companies earlier this month.
The most notable, and long awaited, was Microsoft’s fix for the Follina zero-day flaw in Windows.
Since May, malware operators, include state-sponsored gangs, have used Follina to menace or compromise organizations, including US and European government agencies; to spread the data-stealing Qbot malware; and to delete data and install banking trojans, among other illicit activities. ®