Cisco Enterprise NFV Infrastructure Software Vulnerabilities

Vulnerability

Cisco Enterprise NFV Infrastructure Software (NFVIS) is vulnerable to an XML External Entity (XXE) injection vulnerability in the vmImportAction command. This functionality processes .vmbkp archives (tar.gz files) that contain a dep.xml configuration file. The dep.xml file is parsed by the EncsManager without proper sanitization of external entities. Affected versions include NFVIS 4.5.1-FC2 and earlier. [1]

Exploitation

An attacker must craft a malicious .vmbkp archive containing a dep.xml file with an XXE payload that references a system file (e.g., /etc/shadow). The archive is then imported via the vmImportAction command. No authentication is explicitly required for the import operation, but network access to the NFVIS management interface is necessary. The XXE payload is placed in a variable field within the XML, and upon processing, the external entity is resolved, leaking the file contents into the show command output. [1]

Impact

Successful exploitation allows an attacker to read sensitive system files from the host NFVIS machine, such as /etc/shadow, potentially leading to credential disclosure and further host compromise. This could facilitate escape from the guest virtual machine to the host and execution of arbitrary commands at the root level. [1]

Mitigation

Cisco has released software updates to address this vulnerability. Users should upgrade to a fixed version as indicated in the Cisco Security Advisory [2]. No workarounds are mentioned; the recommended action is to apply the available patch. [2]