The most critical of the errors is user-supplied data in the NX-API feature of Cisco NX-OS Software.
"An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device," Cisco said. "A successful exploit could allow an attacker to execute arbitrary commands with root privileges on the underlying operating system."
The flaw affects Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode running Cisco NX-OS Software with NX-API enabled.
Also patched two high severity denial of service (DoS) bugs in NX-OS – CVE-2022-20624 and CVE-2022-20623 (CVSS scores: 8.6) – located in Cisco Fabric Services Over IP (CFSoIP) and Bidirectional Routing Detection (BFD) traffic functions.
CVE-2022-20624, reported to Cisco by the US National Security Agency (NSA), affects Nexus 3000 and 9000 Series Switches and UCS 6400 Series Fabric Interconnects, assuming CFSoIP is enabled. On the other hand, CVE-2022-20623 only affects Nexus 9000 Series Switches with BFD turned on.
Finally, the network equipment manufacturer patched a third DoS vulnerability (CVE-2022-20625, CVSS score: 4.3) in Cisco FXOS Software and Cisco NX-OS Software's Cisco Discovery Protocol service that could "allow an unauthenticated, adjacent attacker". causing a denial of service (DoS) condition, causing the service to restart."
Cisco said it was not aware of "any public announcement or malicious use" of the above-mentioned vulnerabilities. However, users are advised to act quickly to apply the necessary updates to avoid potential real-world exploits.
