Several Enterprise NFV Infrastructure Software vulnerabilities, including a critical and high-severity bug, have been fixed by Cisco, according to BleepingComputer
Threat actors could exploit the critical flaw, tracked as CVE-2022-20777, to escape guest virtual machines to facilitate total NFVIS host compromise, said Cisco.
"An attacker could exploit this vulnerability by sending an API
call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely," Cisco noted. Meanwhile, a high-severity command injection bug, tracked as CVE-2022-20779, could be abused to allow command injection that results in execution with root privileges.
"An attacker could exploit this vulnerability by persuading an administrator on the host machine to install a VM image with crafted metadata that will execute commands with root-level privileges during the VM registration process. A successful exploit could allow the attacker to inject commands with root-level privileges into the NFVIS host," Cisco added.