Critical bugs found in Cisco Enterprise NFV software

Administrators need to patch their Cisco Enterprise Network Function Virtualisation Infrastructure Software (NFVIS) to address several critical flaws, rated as 9.9 out of 10 on the Common Vulnerabilities Scoring System (CVSS).

In its advisory, Cisco said the vulnerabilities could allow an attacker to escape from guest virtual machines to the host server.

Attackers could also inject commands as the root superuser, and leak system data from the host server to the virtual machine.

The Linux-based NFVIS is used by service providers and enterprises to design, deploy and manage virtualised network functions, such as routing, firewalls and wide area network accelerators.

Insufficient guest restrictions let attackers send API calls from a VM, with root privileges, to fully compromise host systems, Cisco warned.

A second bug in the image registration process of NFVIS allows unauthenticated, remote attackers to inject commands, again as root with full system access.

A vulnerability in the NFVIS extended markup language (XML) import function of NFVIS lets attackers read data from hosts, and write to any configured VM.

There are no workarounds for the vulnerabilities, but Cisco has released patched software, NFVIS version 4.7.1 and advises customers to migrate from earlier variants.

Researchers Cyrille Chatras, Pierre Denouel and Loïc Restoux of Orange group reported the vulnerabilities to Cisco.