Critical Cisco VM-Escape Bug Threatens Host Takeover

Make plans to patch as soon as possible: A critical security vulnerability in Cisco's Enterprise NFV Infrastructure Software (NFVIS) opens the door to complete takeover of a host.

Cisco's Enterprise NFVIS combines network functions virtualization (NFV) and software-defined networking (SDN) to allow enterprises to provision and manage virtual network services, applications, virtual machines (VMs), and hardware devices. As such, it sits in the middle of organizations' internal networks and offers a perfect pivot point for an attacker to move laterally within an enterprise environment.

The bug (CVE-2022-20777) carries a score of 9.9 out of 10 on the CVSS vulnerability-severity scale, and specifically exists in the Next Generation Input/Output (NGIO) feature of the software. According to Cisco's advisory this week, it stems from insufficient guest restrictions— someone signed onto a guest VM on a host machine is able to escape from that guest VM to gain unauthorized root-level access on the underlying host.

"An attacker could exploit this vulnerability by sending an API call from a VM," according to Cisco's advisory. "A successful exploit could allow the attacker compromise the NFVIS host completely."

The networking giant rolled out a patch for the issue late Tuesday.

JJ Guy, CEO and co-founder of Sevco Security, tells Dark Reading that enterprises need to take this one seriously, given that enterprises rely on guest VMs to separate workloads, enable different levels of permissions for different applications and users, segregate applications that pose more security risk than others, and more.

"VM escape bugs that allow a user with access to the host from the guest are always critical, regardless of the caveats of having to be authenticated," he says, noting that private companies should take the same approach to preventing escapes as the big cloud providers do.

"The entire public cloud infrastructure is based on the virtual machine being a reliable security boundary," he says. "When a public cloud provider sells compute on one physical box to multiple different clients via virtual machines, it must be able to guarantee those clients cannot impact each other. Any failure in that undermines what is fast becoming a critical part of computing."

Two Unauthenticated Cisco Bugs to Patch Quickly
Cisco also addressed two other vulnerabilities in the advisory. The first (CVE-2022-20779, CvSS 8.8) is a high-severity command-injection issue in the image-registration process. A successful exploit would allow an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host.

"This vulnerability is due to improper input validation," according to the advisory. "An attacker could exploit this vulnerability by persuading an administrator on the host machine to install a VM image with crafted metadata that will execute commands with root-level privileges during the VM registration process."

The other bug (CVE-2022-20780, CVSS 7.4) could allow an unauthenticated, remote attacker to leak system data from the host to any configured VM, including files containing sensitive user data. Even worse, an authenticated attacker could obtain access to confidential system information directly.

"This vulnerability is due to the resolution of external entities in the XML parser," according to Cisco. "An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM."

As always, to avoid falling victim to a successful cyberattack, patching quickly is the key, along with enforcing strong password hygiene to prevent attacks requiring authentication and account takeovers. Cisco software is no stranger to active targeting from cybercriminals — to the point where, in February, the US National Security Agency (NSA) issued fresh guidance for organizations on selecting strong passwords for Cisco devices, citing an increase in the number of compromises involving poorly protected network infrastructure.