Cisco addresses three bugs in Enterprise NFVIS Software

Pierluigi Paganini May 05, 2022

Cisco addresses three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could allow the compromise of the hosts.

Cisco addressed three vulnerabilities, tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, affecting the Enterprise NFV Infrastructure Software (NFVIS) that could be exploited by attackers to take control over the hosts.

“Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.” reads the advisory published by Cisco.

An attacker could exploit the vulnerabilities to escape from the guest virtual machine (VM) to the host machine, execute commands as root, or leak system data from the host to the VM.

Below are the three vulnerabilities fixed by the IT giant:

  • CVE-2022-20777 (CVSS score: 9.9) -A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.
  • CVE-2022-20779 (CVSS score: 8.8) – A vulnerability in the image registration process of Cisco Enterprise NFVIS could allow an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host during the image registration process.
  • CVE-2022-20780 (CVSS score: 7.4) – A vulnerability in the import function of Cisco Enterprise NFVIS could allow an unauthenticated, remote attacker to leak system data from the host to any configured VM.

The vulnerabilities were reported by Cyrille Chatras, Pierre Denouel, and Loïc Restoux of Orange Group.

The Cisco Product Security Incident Response Team (PSIRT) said that it is not aware of any public announcements or malicious use of these vulnerabilities.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NFVIS)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment