"Cisco Patches Severe Vulnerabilities in Nexus Dashboard"

Cisco recently announced the availability of patches for multiple vulnerabilities in Nexus Dashboard, including a critical-severity issue that could lead to the execution of arbitrary commands.  The Nexus Dashboard is a data center management console that provides administrators and operators with quick access to required resources across services and applications.  The most severe of the newly resolved vulnerabilities affecting the console is CVE-2022-20857 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to access a specific API and execute arbitrary commands.  In its advisory, Cisco also details CVE-2022-20861 and CVE-2022-20858, two high-severity security bugs in Nexus Dashboard that could lead to cross-site request forgery (CSRF) attacks and to the uploading of malicious container images, respectively.  CVE-2022-20861 exists because the web UI on affected devices does not have sufficient CSRF protections.  CVE-2022-20858 exists because a service that manages container images does not have sufficient access controls, thus allowing an attacker to open a TCP connection to the affected service, download container images, and upload malicious images that would run after a device reboot.  All three vulnerabilities were resolved with the release of Nexus Dashboard 2.2(1e).  Cisco is urging users of Nexus Dashboard 1.1, 2.0, and 2.1 to upgrade to the new version as soon as possible.  This week, Cisco also resolved a high-severity security issue in the SSL/TLS implementation of Nexus Dashboard, which could allow a remote, unauthenticated attacker to tamper with the communication with associated controllers or access sensitive information.  Tracked as CVE-2022-20860, the vulnerability has been resolved with the release of Nexus Dashboard 2.2(1h).  Cisco stated that it is unaware of any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Cisco Patches Severe Vulnerabilities in Nexus Dashboard"