• NL
  • FR
  • DE
  • EN
www.belgium.be Logo of the federal government

WARNING:Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability (system privileges) - PoC available

Reference: 
Advisory #2021-016
Version: 
1.0
Affected software: 
Cisco Enterprise NFV Infrastructure Software (NFVIS) if the TACACS external authentication feature is not configured.
Type: 
Authentication bypass (Administrator privileges)
CVE/CVSS: 

CVE-2021-34746 CVSS: 9.8

Date: 
06/09/2021

Sources

 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

Risks

Cisco reports that a proof-of-concept(PoC) exploit code is available.

There are no reportings of active exploitation, however, the availability of working PoC exploit code is an indicator that threat actors could leverage this vulnerability soon.

The Centre for Cyber security Belgium (CCB), urges system administrators to patch vulnerable Cisco Enterprise NFV Infrastructure Software (NFVIS) to version 4.6.1 and later if TACACS external authentication feature is configured.

NFVIS deployments are impacted by this vulnerability only if TACACS external authentication method is configured on a targeted device, which can be determined by running the "show running-config tacacs-server" command in the CLI (Command Line Interface) or via the Graphical User Interface (GUI). NFVIS deployments that are using RADIUS or local authentication as the authentication method are not affected.

Description

The Cisco TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) is vulnerable due to incomplete validation of user-supplied input that is passed to an authentication script. 
 
A successful exploit could allow could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.

 

Recommended Actions

  • The CCB advises administrators to assess if the TACACS external authentication feature is enabled on a device using the show running-config tacacs-server command or via the Graphical User Interface (GUI).
  • The CCB recommends to all System administrators upgrade vulnerable devices to the latest versions released by the vendor.
  • The CCB advises organizations to upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion

References

Cisco Issues Patch for Critical Enterprise NFVIS Flaw — PoC Exploit Available (thehackernews.com)