Cisco Releases Patches for 3 New Flaws Affecting Enterprise NFVIS Software

On Wednesday, Cisco Systems released security patches to contain three gap affects the Enterprise NFV Infrastructure (NFVIS) Software that could allow an attacker to completely compromise and take control of the servers.

Tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, the vulnerabilities “could allow an attacker to escape virtual machine client (VM) to the server, sending commands to execute at the root, or leaking system data from the host to the virtual machine,” the company said.

Credited for detecting and reporting issues are Cyrille Chatras, Pierre Denouel, and Loïc Restoux of Orange Group. Updates have been released in version 4.7.

The network equipment company said the vulnerabilities affect Cisco Enterprise NFVIS in the default configuration. The details of the three errors are as follows:

CVE-2022-20777 (CVSS Score: 9.9) – An insufficient guest limit issue allows an authenticated, remote attacker to exit the guest virtual machine for unauthorized root-level access on the NFVIS host. CVE-2022-20779 (CVSS Score: 8.8) – A non-conforming input validation vulnerability that allows a remote, unauthenticated attacker to inject base-level executable commands on the NFVIS server during image registration. CVE-2022-20780 (CVSS Score: 7.4) – A vulnerability in the Cisco Enterprise NFVIS import functionality could allow an unauthenticated, remote attacker to access system information from servers hosted on any any virtual machine is configured.

Also recently addressed by Cisco is a high-severity vulnerability in Adaptive Security Appliances (ASA) and Fire Threat Defense (FTD) software that could allow a remote attacker to be identified. real, but without the perks raise the privilege to level 15.

“This includes privileged level 15 access to the device using management tools such as Cisco Adaptive Security Device Manager (ASDM) or Cisco Security Manager (CSM),” the company said. Ty notes in an advisory for CVE-2022-20759 (CVSS score: 8.8).

Furthermore, last week, Cisco issued a “field notice” urging Catalyst 2960X/2960XR device users to upgrade their software to IOS Release 15.2 (7) E4 or later to enable security features The new security is designed to “verify the authenticity and integrity of our solutions” and prevent compromises.

.