Cisco Releases Patches for Three New Enterprise NFVIS Software Flaws 

Cisco Releases Patches for Three New Enterprise NFVIS Software Flaws 

Cisco Systems released security fixes on Wednesday to address three weaknesses in its Enterprise NFV Infrastructure Software (NFVIS), which may allow an attacker to infiltrate and manage the hosts completely. The vulnerabilities, identified as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, “could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM,” said the company. 

Orange Group’s Cyrille Chatras, Pierre Denouel, and Loïc Restoux are credited with detecting and reporting the problems. Version 4.7.1 has been updated with new features. According to the networking equipment maker, the weaknesses affect Cisco Enterprise NFVIS in its default configuration. The following are the specifics of the three bugs: 

  • CVE-2022-20777 (CVSS score of 9.9): Inadequate guest limitations allow an authenticated, remote attacker to escape from the guest VM and acquire unauthorized root-level access to the NFVIS host. 
  • CVE-2022-20779 (CVSS score of 8.8): An unauthenticated, remote attacker can inject instructions that run at the root level on the NFVIS host through the image registration procedure due to a weakness in input validation. 
  • CVE-2022-20780 (CVSS score of 7.4): An unauthenticated, remote attacker might access system information from the host on any configured VM by exploiting a vulnerability in Cisco Enterprise NFVIS’ import function. 

A high-severity weakness in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which might allow an authenticated but unprivileged remote attacker to raise privileges to level 15, was also patched recently by Cisco. 

“This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM),” said the company in an advisory for CVE-2022-20759 (CVSS score of 8.8). 

In addition, Cisco published a “field notice” this week advising customers of Catalyst 2960X/2960XR appliances to update to IOS Release 15.2(7)E4 or later to activate new security capabilities intended to “verify the authenticity and integrity of our solutions” and avoid breaches. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.


Share on facebook
Share on twitter
Share on linkedin