May 8, 2022
Cisco Patches 2 NFVIS RCE Vulnerabilities
Cisco has patched 2 NFV Infrastructure Software remote code execution vulnerabilities, one rated critical.
Cisco NFVIS is a Linux-based infrastructure software for deploying virtualized network functions (virtual router, firewall, WAN acceleration, etc.) on a supported Cisco appliance.
- CVE-2022-20777 (CVSS 3.1: 9.9, Critical) – A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.
- CVE-2022-20779 (CVSS 3.1: 8.8, High Severity) – A vulnerability in the image registration process of Cisco Enterprise NFVIS could allow an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host during the image registration process.
- Cisco NFVIS prior to version 4.7.1.
CYREBRO recommends to update relevant products, according to the official advisory.
References: Cisco Advisory.