May 8, 2022 

Cisco Patches 2 NFVIS RCE Vulnerabilities

Cisco has patched 2 NFV Infrastructure Software remote code execution vulnerabilities, one rated critical. 

Cisco NFVIS is a Linux-based infrastructure software for deploying virtualized network functions (virtual router, firewall, WAN acceleration, etc.) on a supported Cisco appliance. 

The Vulnerabilities

• CVE-2022-20777 (CVSS 3.1: 9.9, Critical) – A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host. 
• CVE-2022-20779 (CVSS 3.1: 8.8, High Severity) – A vulnerability in the image registration process of Cisco Enterprise NFVIS could allow an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host during the image registration process. 

Affected Products

• Cisco NFVIS prior to version 4.7.1. 

Mitigation

CYREBRO recommends to update relevant products, according to the official advisory. 

References: Cisco Advisory.