Cisco Enterprise NFV Infrastructure Software Vulnerabilities

Vulnerability

CVE-2022-20777 is an improper access control vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) versions up to 4.5.1-FC2 [2]. The NGIO (Next Generation I/O) network interface, intended for communication between trusted Cisco VMs and the host, has an overly permissive firewall rule that accepts any IP traffic from 192.168.10.12 [2]. This address can be assigned to a non-Cisco VM [2].

Exploitation

An attacker with the ability to configure a virtual machine (VM) on the NFVIS system can assign it the IP address 192.168.10.12 and attach it to a network that includes the int-mgmt-net subnet (192.168.10.0/25) [2]. The attacker then connects to the host's internal API on 192.168.10.1:8000 and injects shell metacharacters into the vcpu parameter, achieving root command injection [2]. A separate proof-of-concept (PoC #2) shows that from a Cisco ISRv VM with NGIO enabled, a similar command injection via curl can also achieve root execution [2].

Impact

Successful exploitation results in an attacker escaping from the guest VM to the host machine and executing arbitrary commands as root [2]. This leads to full compromise of the host, including potential data leakage and further attacks against other VMs or infrastructure.

Mitigation

Cisco has released NFVIS version 4.7.1 which contains the security patch for this vulnerability [1][2]. Users should upgrade to this fixed version. As a workaround, administrators are advised to restrict exposure of TCP ports used by Cisco agents, use separate VRF (network namespaces) for NGIO interfacing, and enable mutual SSL authentication with Cisco components [2].