Cisco Released Patches for Vulnerabilities Affecting Several Products
The vulnerability, identified as CVE-2022-28199 (CVSS 8.6), is due to improper error handling in the network stack of DPDK, which enables a remote attacker to cause a denial-of-service (DoS) scenario and affects data integrity and confidentiality.
A framework and standard API for high-speed networking applications are provided by the DPDK, which is a set of libraries and optimized network interface card (NIC) drivers for fast packet processing.
Cisco Products Affected by CVE-2022-28199
Cisco stated it looked into its product line and found the following services were impacted by the bug:
Cisco Catalyst 8000V Edge Software
Adaptive Security Virtual Appliance (ASAv)
9.17.1.x (release date TBD)
Secure Firewall Threat Defense Virtual (formerly FTDv)
22.214.171.124-x (release date TBD)
Cisco has also fixed a flaw identified as CVE-2022-20696 (CVSS 7.5) in Cisco SD-WAN vManage Software. The vulnerability could provide an unauthenticated attacker that already has access to VPN0 logical network with access to the messaging service ports. If the attack is successful, the attacker may be able to view and inject messages to force a reload or alter configurations.
Another fix was issued for a flaw in the messaging interface of the Cisco Webex App. CVE-2022-20863 vulnerability was caused due to improper character rendering that could allow an unauthenticated remote attacker to alter links and content to initiate phishing attacks.
Auth Bypass Flaw Will Not Be Fixed
Cisco additionally provided information about an authentication bypass flaw (CVE-2022-20923) that could lead to an attacker obtaining administrator-level privileges. CVE-2022-20923 affects devices that are configured to have IPSec VPN Server enabled.
Cisco explained there would be no patches for this flaw due to impacted products (RV110W, RV130, RV130W, and RV215W Routers) reaching end-of-life. The vulnerability is not critical, but it is recommended to migrate to a supported router series.