Network companies Cisco and F5 warned yesterday about critical vulnerabilities affecting their products.

Cisco has released patches for three remote implementation shortcomings affecting its enterprise network infrastructure infrastructure virtualization software (NFVIS).

According to Cisco, vulnerabilities “may allow an attacker to escape from the virtual guest machine (VM) to the host machineinjecting commands that are executed at the primary level, or leaking system data from the host to the VM “.

Tracked as CVE-2022-20777 and with a baseline CVSS score of 9.9 (critical), the most serious of the shortcomings is the guest escape vulnerability, which an attacker can use to gain root privileges and “compromise” fully NFVIS host. “

Other vulnerabilities are a command injection error (CVE-2022-20779, CVSS 8.8) that could allow a remote attacker to execute commands such as the root of an NFVIS host during the image registration process, and a vulnerability when injecting an XML external object ( CVE-2022-20780, CVSS 7.4), which “may allow an uncertified remote attacker to leak system data from the host to any configured virtual machine”.

We advise customers to download and apply the patches as soon as possible.

Meanwhile, the cloud application security and delivery company F5 has released patches and tips to work around 43 issues affecting its products.

The most serious problem concerns the BIG-IP traffic management system. Tracked as CVE-2022-1388 and with a CVSS score of 9.8 (critical), the flaw allows the attacker to bypass the authentication check and potentially take control of the entire system.

“This vulnerability could allow an unauthorized attacker with network access to the BIG-IP system through the management port and / or your own IP addresses to execute arbitrary system commands, create or delete files, or disable services. No exposure in the data plane; it’s just a problem with the control plane, “the company said.

The authentication bypass error affects many BIG-IP versions from version 11.x to 17.x, and customers are advised to install the software version with fixes.

For versions that have not yet been patched, F5 offers workarounds, including blocking access to iControl REST through its own IP address and interface to manage and change the BIG-IP httpd configuration.

Other bugs corrected by F5 Other notable bugs fixed as part of the update include CVE-2022-25946 (CVSS 8.8), through which a certified attacker with administrative privileges “may be able to circumvent device mode restrictions due to a lack of verification of the device.” integrity in BIG-IP “and BIG-IP TMUI XSS vulnerability (CVE-2022-28707, CVSS 8.0), vulnerability for stored cross-site scripts (XSS) in an undisclosed page of the BIG-IP configuration utility.”

Most of the shortcomings are in BIG-IP, but other affected products include NGINX Service Mesh, NGINX App Protect, F5 Access for Android and Traffix SDC.

Previous articleWe wear a sweat sensor warns of an impending cytokine storm
Next articleInfrastructure as code: Maintains developer productivity while maintaining the security of organizations