Cisco has announced patches for vulnerabilities in its Identity Services Engine, security appliance, and BroadWorks CommPilot products.
All six of the vulnerabilities published yesterday are rated high-severity.
CVE-2022-20956 is an access control vulnerability in the Identity Services Engine.
While only accessible to an authenticated user, a successful exploit “could allow the attacker to list, download, and delete certain files that they should not have access to”.
“This vulnerability is due to improper access control in the web-based management interface of an affected device,” and is attackable using a crafted HTTP request, the vendor said.
The company intends to release patched software.
The other Identity Services Engine vulnerability is CVE-2022-20961, a cross-site request forgery bug.
The advisory said it allows “an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device."
“An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link," it states.
"A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.”
The BroadWorks CommPilot software is subject to two vulnerabilities, CVE-2022-20951 and CVE-2022-20958.
An authenticated remote attacker could “execute arbitrary code on an affected device or obtain confidential information from the Cisco BroadWorks server and other devices on the network.”
CVE-2022-20958 is an input validation bug in CommPilot’s web management interface, while CVE-2022-20951 is an application software server-side request forgery vulnerability, also down to “insufficient validation of user-supplied input”.
CVE-2022-20867 and CVE-2022-20868 affect the company’s Email Security Appliance, Secure Email and Web Manager, and Secure Web Appliance management products.
CVE-2022-20868 affects all the listed products except the web appliance, while CVE-2022-20867 affects the full list of products.
CVE-2022-20867 is an SQL injection bug in the management interface of the products, allowing an authenticated remote attacker to execute commands as root on the target system.
CVE-2022-20868 is a privilege escalation bug in the management interface of affected products, available to authenticated remote attackers.
All the vulnerabilities except CVE-2022-20956 have patches available.
Cisco has also reported its investigation into this week’s OpenSSL 3.x patch. The company said “OpenSSL 3.x is not widely used in Cisco products and cloud offers”.
So far, the only products currently under investigation are its Ultra Cloud Core cable device; the Evolved Programmable Network Manager and IoT Field Network Director software; and SD-WAN vAnalytics Software and SD-WAN vManage Software.
