#VU68524 Input validation error in Cisco Systems, Inc Hardware solutions


Published: 2022-10-20

Vulnerability identifier: #VU68524

Vulnerability risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20933

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Meraki MX
Hardware solutions / Firmware
Meraki Z3
Hardware solutions / Firmware
Cisco Meraki Z3C
Hardware solutions / Firmware
Cisco Meraki MX67CW
Hardware solutions / Firmware
Cisco Meraki MX67W
Hardware solutions / Firmware
Cisco Meraki MX68CW
Hardware solutions / Firmware
Cisco Meraki MX68W
Hardware solutions / Firmware
Cisco Meraki MX64
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX64W
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX65
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX65W
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX67
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX68
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX75
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX84
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX85
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX95
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX100
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX105
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX250
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX400
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX450
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki MX600
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Meraki vMX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. A remote attacker can send a specially crafted request to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Meraki MX: 16.2 - 17.0

Meraki Z3: All versions

Cisco Meraki Z3C: All versions

Cisco Meraki MX64: All versions

Cisco Meraki MX64W: All versions

Cisco Meraki MX65: All versions

Cisco Meraki MX65W: All versions

Cisco Meraki MX67: All versions

Cisco Meraki MX67CW: All versions

Cisco Meraki MX67W: All versions

Cisco Meraki MX68: All versions

Cisco Meraki MX68CW: All versions

Cisco Meraki MX68W: All versions

Cisco Meraki MX75: All versions

Cisco Meraki MX84: All versions

Cisco Meraki MX85: All versions

Cisco Meraki MX95: All versions

Cisco Meraki MX100: All versions

Cisco Meraki MX105: All versions

Cisco Meraki MX250: All versions

Cisco Meraki MX400: All versions

Cisco Meraki MX450: All versions

Cisco Meraki MX600: All versions

Cisco Meraki vMX: All versions

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Denial of service in Cisco Meraki MX and Z3 Teleworker Gateway devices