During late September and early October we noted a set of interesting vulnerabilities reported by Cisco, accompanied by mitigation and update instructions. Of course, no specific details were given, but the available information is enough to conclude that they are pretty dangerous. Let's walk through them one by one.
CVE-2022-20848 - Cisco IOS XE resource exhaustion
Catalyst 9100 Series Access Points, running Cisco IOS XE, suffers from defective processing of incoming UDP packets. An external attacker could send a specially-crafted UDP packet that will force the Cisco device into reboot, creating a DoS scenario.
CVE-2022-20847 - Cisco IOS XE Wireless Controller resource exhaustion #1
Similar situation with Cisco's wireless controllers (specifically, Catalyst 9000 family devices), but this time it's about DHCP packets. Again, reboot and denial-of-service is what you get.
CVE-2022-20856 - Cisco IOS XE Wireless Controller resource exhaustion #2
Same family of devices can be exploited by sending CAPWAP Mobility messages to them. Cisco explains it diplomatically as "logic error and improper management of resources", but in reality this looks like a memory leak. After sending a good number of such messages, the device's memory is exhausted and the devices reboots. Nice.
CVE-2022-20919 - Cisco IOS improper input validation
Cisco IOS and IOS XE suffer from defective handling of incoming CIP (Common Industrial Protocol) packets. An attacker can send malicious packets to a destination devices triggering it into reboot. Obviously, had IOS utlized a proper input checking, it should've been rejected such packets as invalid.
CVE-2022-20945 - Cisco Catalyst 9100 improper input validation
Similar lack of validation, but now it's about 802.11 wireless protocol. If an attacker sends specially-crafted Association Frames to a Cisco Catalyst 9100 series access point, containing a certain set of parameters, the device can not "swallow" these frames and starts to reboot. We don't know why this CVE was assigned only a 7.4 score on the CVSS scale. It's much easier to attack wireless targets since they don't require physical access to cables, ports, etc. Powerful transmitter and good antenna are enough. What make it worse, the attack does not require wireless association, so you only need to know the MAC address of the victim devices, plus the fact that the device is a Cisco Catalyst. Both types of information are easily extractable from 802.11 frames by just sniffing the radio.
CVE-2022-20837 - Cisco IOS XE unhandled exception
DNS processing of Cisco ALGs (Application Layer Gateway) feature suffers from improper handling of certain types of DNS packets during network address translation (NAT). A hacker, knowing that a target device performs NAT, can send a special DNS packet over TCP, that will cause the device to reload.
CVE-2022-20769 - Cisco Wireless LAN Controller out-of-bounds write
If a Cisco Wireless LAN Controller is configured in FIPS mode, a near-by hacker can crash the device by sending specially-crafted packets. It is not disclosed if it can be crashed over-the-air or requires LAN access.
CVE-2022-20855 - Cisco IOS XE command injection
This flaw is less severe that previous ones, as it requires to be authenticated. Specifically, if a malicious attacker has access to the restricted control shell (available for the "Level 15" on Cisco's privilege scale), he can obtain root privileges and then execute arbitrary commands as superuser (root).
CVE-2022-20775 - Cisco SD-WAN path traversal
Cisco SD-WAN Software is vulnerable in its CLI interface. Due to missing proper access controls, a hacker with command line shell access can gain superuser privileges. The severity of this CVE is not so high, as this hacker has to be authenticated and needs to gain direct access to CLI.
Useful Links