Security News > 2022 > May > Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software

Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software that could permit an attacker to fully compromise and take control over the hosts.

The networking equipment company said the flaws affect Cisco Enterprise NFVIS in the default configuration.

CVE-2022-20777 - An issue with insufficient guest restrictions that allows an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.

CVE-2022-20780 - A vulnerability in the import function of Cisco Enterprise NFVIS that could allow an unauthenticated, remote attacker to access system information from the host on any configured VM. Also addressed by Cisco recently is a high-severity flaw in its Adaptive Security Appliance and Firepower Threat Defense software that could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.

"This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager or the Cisco Security Manager," the company noted in an advisory for CVE-2022-20759.

Cisco last week issued a "Field notice" urging users of Catalyst 2960X/2960XR appliances to upgrade their software to IOS Release 15.2(7)E4 or later to enable new security features designed to "Verify the authenticity and integrity of our solutions" and prevent compromises.

News URL

https://thehackernews.com/2022/05/cisco-issues-patches-for-3-new-flaws.html