Cisco systems rolled out patches for three flaws affecting its enterprise NFV Infrastructure Software (NFVIS). The attackers can use the flaw to compromise and take over the controls from users.
The flaws labelled CVE-2022-20777, CVE-2022-20779 and CVE-2022-20780, “could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM,” the company said.
Cyrille Chatras, Pierre Denouel, and Loïc Restoux of Orange Group discovered and reported the flaw; Updates have been rolled out in version 4.7.1.
The networking equipment company said the flaws affect Cisco Enterprise NFVIS in the default configuration. Details of the three bugs are as follows –
- CVE-2022-20777 (CVSS score: 9.9) – An issue with insufficient guest restrictions that allows an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.
- CVE-2022-20779 (CVSS score: 8.8) – An improper input validation flaw that permits an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host during the image registration process.
- CVE-2022-20780 (CVSS score: 7.4) – A vulnerability in the import function of Cisco Enterprise NFVIS that could allow an unauthenticated, remote attacker to access system information from the host on any configured VM.
Further, CISCO patched a severe flaw in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could et an authenticated, but unprivileged, remote attacker to raise privileges to level 15.
“This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM),” the company noted in an advisory for CVE-2022-20759 (CVSS score: 8.8).