Skip to content

Cisco ENCS - Improper Verification of Cryptographic Signature in NFVIS (CVE-2022-20929)

High
orange-cert-cc published GHSA-4f6q-86ww-gmcr Oct 11, 2022

Package

NFVIS (Cisco)

Affected versions

4.5.1-FC2

Patched versions

4.9.1

Description

Overview

There is no cryptographic signature on the NFVIS upgrades. This allows an attacker to create a fake upgrade which can allow him to fully compromise an NFVIS if he is able to convince an admin to install it.

Details

There is no cryptographic signature on NFVIS upgrades. An attacker can create a specially crafted NFIS upgrade archive and convince an admin to install it, thus taking the full control of the NFVIS.

The documentation states that RPM packages in an upgrade are signed to ensure authenticity. However, the upgrade archive contains not only RPMs, but also pre/post-install "hooks" (python scripts) that are not signed. An attacker can use an existing upgrade archive, modify its python scripts, rebuild an archive and convince an admin to install it.

Proof-of-Concept

We took the upgrade for 4.5.1-FC2 (Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2.nfvispkg), uncompressed it, and changed some files :

  • in hooks/prehook.py, we updated the function op_run() and add a simple command in order to show that it is executed with root privileges.
$ diff -r Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2/hooks/prehook.py Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2_evil/hooks/prehook.py
675a676,679
>     # Evil
>     with open("/data/intdatastore/uploads/an_evil_upgrade_has_been_installed", "w") as f:
>         execute_cmds(['id'], stdout=f)
> 
  • in upgrade.manifest, the fields NAME, VERSION and CW_VERSION are updated with a higher version number. Then we fixed the MD5 sum of hooks/prehook.py we modified.

After the reboot post-upgrade, we can confirm that the rogue version has been installed and that a file an_evil_upgrade_has_been_installed exists in /data/intdatastore/uploads/.

Solutions

Solution proposed to Cisco

Add a cryptographic signature check to the upgrade packages.

Security patch

Upgrade to Cisco Enterprise NFVIS Release 4.9.1, as described in Cisco Security Advisory

References

https://nvd.nist.gov/vuln/detail/CVE-2022-20929
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h

Timeline

Date reported: December 16, 2021
Date fixed: October 5, 2022

Severity

High
7.8
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-20929

Weaknesses