CVE-2022-20824: Cisco FXOS and NX-OS Arbitrary Code Execution Flaw

Cisco on Wednesday released patches for 3 vulnerabilities in its products, including multiple flaws that impact Cisco FXOS, and NX-OS software.

The most important of the bugs is a high severity flaw in FXOS and NX-OS that could allow an unauthenticated, adjacent attacker to execute arbitrary code as root. The weakness can also be exploited for denial of service (DoS).

Tracked as CVE-2022-20824 (CVSS score: 8.8), the vulnerability is triggered due to due to improper input validation of specific values that are within a Cisco Discovery Protocol message. The attacker could send a malicious Cisco Discovery Protocol packet to an affected device and cause a buffer overflow to run code or cause a DoS condition.

The flaw impacts

• Firepower 4100 Series (CSCwb74498)
• Firepower 9300 Security Appliances (CSCwb74498)
• MDS 9000 Series Multilayer Switches (CSCwb74494)
• Nexus 1000 Virtual Edge for VMware vSphere (CSCwb74495)
• Nexus 1000V Switch for Microsoft Hyper-V (CSCwb74495)
• Nexus 1000V Switch for VMware vSphere (CSCwb74495)
• Nexus 3000 Series Switches (CSCwb70210)
• Nexus 5500 Platform Switches (CSCwb74496)
• Nexus 5600 Platform Switches (CSCwb74496)
• Nexus 6000 Series Switches (CSCwb74496)
• Nexus 7000 Series Switches (CSCwb74494)
• Nexus 9000 Series Fabric Switches in ACI mode (CSCwb74493)
• Nexus 9000 Series Switches in standalone NX-OS mode (CSCwb70210)
• UCS 6200 Series Fabric Interconnects (CSCwb74497)
• UCS 6300 Series Fabric Interconnects (CSCwb74497)
• UCS 6400 Series Fabric Interconnects (CSCwb74513)

Because the Discovery Protocol is enabled by default globally and on all interfaces in FXOS and NX-OS, CVE-2022-20824 impacts numerous products, including Nexus, Firepower, UCS, and MDS.

Another high-risk flaw patched on Wednesday is a DoS flaw (CVE-2022-20823, CVSS score: 8.6) in NX-OS software for Nexus 3000/6000/7000 Series Switches, Nexus 5500/5600 Platform Switches, Nexus 9000 Series Fabric Switches in ACI mode, and Nexus 9000 Series Switches in standalone NX-OS mode which could be exploited remotely without authentication.

Lastly, the networking equipment maker also patched a command injection vulnerability (CVE-2022-20865, CVSS score: 6.7) in the CLI of Cisco FXOS software, which could “allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The attacker would need to have Administrator privileges on the device.”

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

• Firepower 1000 Series
• Firepower 2100 Series
• MDS 9000 Series Multilayer Switches
• Nexus 1000 Virtual Edge for VMware vSphere
• Nexus 1000V Switch for Microsoft Hyper-V
• Nexus 1000V Switch for VMware vSphere
• Nexus 3000 Series Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches in ACI mode
• Nexus 9000 Series Switches in standalone NX-OS mode
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

Cisco said that it’s not aware of “any public announcements or malicious use” of the aforementioned vulnerabilities. Software updates were released for vulnerable products. Cisco customers with valid licenses are advised to upgrade to an appropriate release. Details on the resolved vulnerabilities and the affected products and devices are available on Cisco’s website.