Cisco on Wednesday announced the availability of patches for multiple vulnerabilities in Nexus Dashboard, including a critical-severity issue that could lead to the execution of arbitrary commands.
The Nexus Dashboard is a data center management console that provides administrators and operators with quick access to required resources across services and applications.
The most severe of the newly resolved vulnerabilities affecting the console is CVE-2022-20857 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to access a specific API and execute arbitrary commands.
“The vulnerability is due to insufficient access controls for a specific API. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected API. A successful exploit could allow the attacker to execute arbitrary commands as the root user in any pod on a node,” Cisco explains.
In its advisory, Cisco also details CVE-2022-20861 and CVE-2022-20858, two high-severity security bugs in Nexus Dashboard that could lead to cross-site request forgery (CSRF) attacks and to the uploading of malicious container images, respectively.
The first of the bugs exists because the web UI on affected devices does not have sufficient CSRF protections. An attacker who convinces an authenticated administrator to click on a malicious link may perform actions on a vulnerable device, with administrator privileges.
The second issue exists because a service that manages container images does not have sufficient access controls, thus allowing an attacker to open a TCP connection to the affected service and download container images and upload malicious images that would run after a device reboot.
All three vulnerabilities were resolved with the release of Nexus Dashboard 2.2(1e). Users of Nexus Dashboard 1.1, 2.0, and 2.1 are advised to upgrade to the fixed release as soon as possible.
This week, Cisco also resolved a high-severity security issue in the SSL/TLS implementation of Nexus Dashboard, which could allow a remote, unauthenticated attacker to tamper with the communication with associated controllers, or access sensitive information.
Because of improper validation of SSL server certificates when Nexus Dashboard connects to Application Policy Infrastructure Controller (APIC), Cloud APIC, or Nexus Dashboard Fabric Controller, an attacker may use man-in-the-middle techniques to intercept traffic between the device and the controllers, and then impersonate the controllers.
“A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers,” Cisco explains.
Tracked as CVE-2022-20860, the vulnerability has been resolved with the release of Nexus Dashboard 2.2(1h).
Cisco says it is not aware of any of these vulnerabilities being exploited in attacks.