Cisco fixes NFVIS bugs that help win root hosts and hijack hosts

Cisco has addressed multiple security vulnerabilities found in Enterprise NFV Infrastructure Software (NFVIS), a solution that helps virtualize network services for easier management of Virtual Network Functions (VNFs).

Two of them, classified as critical and high severity, can be exploited by attackers to execute commands with root privileges or to evade the guest virtual machine (VM) and completely compromise NFVIS hosts.

Cisco’s Product Security Incident Response Team (PSIRT) asserts that there is no proof-of-concept exploit code and there are no ongoing exploits in the nature.

Root Access to NFVIS Hosts

One of them, a critical guest escape tracked as CVE-2022-20777, was found in the Cisco Enterprise NFVIS Next Generation Input/Output (NGIO) feature.

CVE-2022-20777 is caused by insufficient guest restrictions and allows authenticated attackers to evade the guest VM and gain root-level access to the host in low complexity attacks without requiring user interaction.

“An attacker could exploit this vulnerability by sending an API call from a virtual machine that will run with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to completely compromise the host NFVIS,” Cisco explained.

The second (tracked as CVE-2022-20779) is a high severity command injection vulnerability in the Cisco Enterprise NFVIS image registration process due to improper input validation.

Unauthenticated attackers can exploit it remotely to inject commands that run with root privileges on the host during the image save process in low complexity attacks that require interaction.

“An attacker could exploit this vulnerability by persuading an administrator on the host machine to install a virtual machine image with crafted metadata that will execute commands with root-level privileges during the virtual machine registration process,” said added Cisco.

“A successful exploit could allow the attacker to inject commands with root-level privileges into the NFVIS host.”

The company has released security updates to fix these flaws and said there is no workaround to address the vulnerabilities.

Cisco NFVIS Enterprise Version First fixed version
Prior to 4.0 Migrate to a fixed version.
4.0 4.7.1

Last month, Cisco also fixed a bug in the Cisco Umbrella Virtual Appliance (VA) that allowed unauthenticated attackers to steal administrator credentials remotely.

A week earlier, the company asked customers to apply security updates to address a maximum-severity vulnerability in Wireless LAN Controller (WLC) software that allowed hackers to create their own login credentials.

Previous Chinese hackers have taken billions of dollars worth of intellectual property from around 30 multinational corporations
Next Home Office Problems - New Jersey Business Magazine