Cisco Systems on Wednesday shipped safety patches to include three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that would allow an attacker to completely compromise and take management over the hosts.
Tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, the vulnerabilities “could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM,” the corporate mentioned.
Credited for locating and reporting the problems are Cyrille Chatras, Pierre Denouel, and Loïc Restoux of Orange Group. Updates have been launched in model 4.7.1.
The networking tools firm mentioned the failings have an effect on Cisco Enterprise NFVIS within the default configuration. Details of the three bugs are as follows –
- CVE-2022-20777 (CVSS rating: 9.9) – An challenge with inadequate visitor restrictions that enables an authenticated, distant attacker to flee from the visitor VM to achieve unauthorized root-level entry on the NFVIS host.
- CVE-2022-20779 (CVSS rating: 8.8) – An improper enter validation flaw that allows an unauthenticated, distant attacker to inject instructions that execute on the root stage on the NFVIS host in the course of the picture registration course of.
- CVE-2022-20780 (CVSS rating: 7.4) – A vulnerability within the import operate of Cisco Enterprise NFVIS that would permit an unauthenticated, distant attacker to entry system data from the host on any configured VM.
Also addressed by Cisco not too long ago is a high-severity flaw in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software program that would permit an authenticated, however unprivileged, distant attacker to raise privileges to stage 15.
“This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM),” the corporate famous in an advisory for CVE-2022-20759 (CVSS rating: 8.8).
Furthermore, Cisco final week issued a “subject discover” urging customers of Catalyst 2960X/2960XR home equipment to improve their software program to IOS Release 15.2(7)E4 or later to allow new safety features designed to “verify the authenticity and integrity of our solutions” and stop compromises.