Administrators need to patch their Cisco Enterprise Network Function Virtualisation Infrastructure Software (NFVIS) to address several critical flaws, tracked as CVE-2022-20777 rated as 9.9 out of 10 CVSS.
Attackers could also inject commands as the root superuser, and leak system data from the host server to the virtual machine.
A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host. This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely.Cisco Advisory
The Linux-based NFVIS is used by service providers and enterprises to design, deploy and manage virtualized network functions, such as routing, firewalls, and wide area network accelerators.
Insufficient guest restrictions let attackers send API calls from a VM, with root privileges, to fully compromise host systems, Cisco warned.
A second bug tracked as CVE-2022-20779 rated as 8.8 out of 10 CVSS, in the image registration process of NFVIS allows unauthenticated, remote attackers to inject commands, again as root with full system access.
Another vulnerability tracked as CVE-2022-20780 with CVSS of 7.4 out of 10, in the NFVIS extended markup language (XML) import function of NFVIS lets attackers read data from hosts and write to any configured VM.
There are no workarounds for the vulnerabilities, but Cisco has released patched software, NFVIS version 4.7.1, and advises customers to migrate from earlier variants.