Cisco and F5 alert users to new critical vulnerabilities
Users of Cisco NFVIS and F5 BIG-IP should patch now or implement workarounds
Networking firms Cisco and F5 both warned of critical vulnerabilities affecting their products yesterday.
Cisco released patches for three remote execution flaws affecting its Enterprise Network Functions Virtualisation Infrastructure Software (NFVIS).
According to Cisco, the vulnerabilities "could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM".
Tracked as CVE-2022-20777 and with a CVSS base score of 9.9 (critical), the most serious of the flaws is a guest escape vulnerability which an attacker could use to gain root-level privileges and "compromise the NFVIS host completely".
The other vulnerabilities are a command injection glitch (CVE-2022-20779, CVSS 8.8) through which a remote attacker could execute commands as root on the NFVIS host during the image registration process, and an XML external entity injection vulnerability (CVE-2022-20780, CVSS 7.4) which "could allow an unauthenticated, remote attacker to leak system data from the host to any configured VM."
Customers are advised to download and apply the patches as soon as possible.
Meanwhile, cloud application security and delivery company F5 has released patches and workaround advisories for 43 issues affecting its products.
The most serious issue affects the traffic management system BIG-IP. Tracked as CVE-2022-1388 and with a CVSS base score of 9.8 (critical) the flaw allows an attacker to bypass an authentication check, and potentially take control of the whole system.
"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only," the company says.
The authentication bypass bug affects multiple BIG-IP versions from version 11.x to 17.x and customers are advised to install a version of the software in which fixes have been introduced.
For versions to which fixes have not yet been applied, F5 suggests temporary workarounds including blocking iControl REST access through the self IP address and the management interface, and modifying the BIG-IP httpd configuration.
Among the other bugs patched by F5 Other notable bugs resolved as part of the update are CVE-2022-25946 (CVSS 8.8), through which an authenticated attacker with admin privileges "may be able to bypass Appliance mode restrictions due to a missing integrity check in BIG-IP," and BIG-IP TMUI XSS vulnerability (CVE-2022-28707, CVSS 8.0), stored cross-site scripting (XSS) vulnerability in an undisclosed page of the BIG-IP configuration utility."
The vast majority of the flaws are in BIG-IP, but other products affected include NGINX Service Mesh, NGINX App Protect, F5 Access for Android and Traffix SDC.
Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free.