CVE-2022-20754 The API and web-based management interfaces of Cisco Expressway and VCS could be vulnerable to write privileges if an attacker has read/write privileges.

Cisco XE Switch Software versions prior to 2.2.2, Cisco XE Software versions prior to 2.2.1, Cisco XE Software versions prior to 1.8, Cisco XE Software versions prior to 1.6, Cisco XE Software versions prior to 1.4, and Cisco XE Software versions prior to 1.2 contain a vulnerability that could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition. An attacker could exploit this vulnerability by sending large packets of data to the device. Cisco XE Switch Software versions 2.2.2, Cisco XE Software versions 2.2.1, Cisco XE Software versions 1.8, Cisco XE Software versions 1.6, Cisco XE Software versions 1.4, and Cisco XE Software versions 1.2 contain a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code on an affected device as the root user. An attacker could exploit this vulnerability by sending crafted HTTP requests to the device. Cisco XE Switch Software versions prior to 2.2.2, Cisco XE Software versions prior to 2.2.1, Cisco XE Software versions prior to 1.8, Cisco XE Software versions prior to 1.6, Cisco XE Software versions prior to 1.4, and Cisco XE Software versions prior to 1.2 contain a vulnerability that could allow an authenticated, remote attacker to cause a denial-of-service (

Cisco Firewall Device Denial of Service Vulnerability

Cisco Firewall Device Denial of Service Vulnerability: Cisco Firewall Device Denial of Service Vulnerability is related to the article CVE-2022-20754.

Overview of the Vulnerabilities

The vulnerabilities for these products are related to how the products handle large packet traffic. An attacker could exploit this vulnerability by sending large packets of data to the device. Cisco XE Switch Software versions prior to 2.2.2, Cisco XE Software versions prior to 2.2.1, Cisco XE Software versions prior to 1.8, Cisco XE Software versions prior to 1.6, Cisco XE Software versions prior to 1.4, and Cisco XE Software versions prior to 1.2 contain a vulnerability that could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition. An attacker could exploit this vulnerability by sending crafted HTTP requests to the device.
Cisco XE Switch Software versions 2.2.2, Cisco XE Software versions 2.2.1, Cisco XE Software version 1.8, and Cisco XE Software version 1.6 contain a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code on an affected device as the root user when HTTP-based services are enabled on an affected device with SSH keys configured as authentication method in configuration mode or when SSH key is configured as authentication method in CLI mode on an affected device with HTTP-based services enabled and without HTTPS support enabled on the device or single sign-on is not enabled on the device with web browser access configured as authentication method in configuration mode or when web browser access is configured as authentication method in

Vulnerability Description

A vulnerability in the Cisco XE Switch Software could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition. An attacker could exploit this vulnerability by sending large packets of data to the device.

Timeline

Published on: 04/06/2022 19:15:00 UTC
Last modified on: 04/14/2022 15:43:00 UTC

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20754