Overview
There is no cryptographic signature on the NFVIS upgrades. This allows an attacker to create a fake upgrade which can allow him to fully compromise an NFVIS if he is able to convince an admin to install it.
Details
There is no cryptographic signature on NFVIS upgrades. An attacker can create a specially crafted NFIS upgrade archive and convince an admin to install it, thus taking the full control of the NFVIS.
The documentation states that RPM packages in an upgrade are signed to ensure authenticity. However, the upgrade archive contains not only RPMs, but also pre/post-install "hooks" (python scripts) that are not signed. An attacker can use an existing upgrade archive, modify its python scripts, rebuild an archive and convince an admin to install it.
Proof-of-Concept
We took the upgrade for 4.5.1-FC2 (Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2.nfvispkg), uncompressed it, and changed some files :
- in
hooks/prehook.py, we updated the function op_run() and add a simple command in order to show that it is executed with root privileges.
$ diff -r Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2/hooks/prehook.py Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2_evil/hooks/prehook.py
675a676,679
> # Evil
> with open("/data/intdatastore/uploads/an_evil_upgrade_has_been_installed", "w") as f:
> execute_cmds(['id'], stdout=f)
>
- in
upgrade.manifest, the fields NAME, VERSION and CW_VERSION are updated with a higher version number. Then we fixed the MD5 sum of hooks/prehook.py we modified.
After the reboot post-upgrade, we can confirm that the rogue version has been installed and that a file an_evil_upgrade_has_been_installed exists in /data/intdatastore/uploads/.
Solutions
Solution proposed to Cisco
Add a cryptographic signature check to the upgrade packages.
Security patch
Upgrade to Cisco Enterprise NFVIS Release 4.9.1, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20929
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h
Timeline
Date reported: December 16, 2021
Date fixed: October 5, 2022
Overview
There is no cryptographic signature on the NFVIS upgrades. This allows an attacker to create a fake upgrade which can allow him to fully compromise an NFVIS if he is able to convince an admin to install it.
Details
There is no cryptographic signature on NFVIS upgrades. An attacker can create a specially crafted NFIS upgrade archive and convince an admin to install it, thus taking the full control of the NFVIS.
The documentation states that RPM packages in an upgrade are signed to ensure authenticity. However, the upgrade archive contains not only RPMs, but also pre/post-install "hooks" (python scripts) that are not signed. An attacker can use an existing upgrade archive, modify its python scripts, rebuild an archive and convince an admin to install it.
Proof-of-Concept
We took the upgrade for 4.5.1-FC2 (
Cisco_NFVIS_BRANCH_Upgrade-4.5.1-FC2.nfvispkg), uncompressed it, and changed some files :hooks/prehook.py, we updated the functionop_run()and add a simple command in order to show that it is executed with root privileges.upgrade.manifest, the fields NAME, VERSION and CW_VERSION are updated with a higher version number. Then we fixed the MD5 sum ofhooks/prehook.pywe modified.After the reboot post-upgrade, we can confirm that the rogue version has been installed and that a file
an_evil_upgrade_has_been_installedexists in/data/intdatastore/uploads/.Solutions
Solution proposed to Cisco
Add a cryptographic signature check to the upgrade packages.
Security patch
Upgrade to Cisco Enterprise NFVIS Release 4.9.1, as described in Cisco Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20929
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h
Timeline
Date reported: December 16, 2021
Date fixed: October 5, 2022