Cisco Patches Critical Authentication Bypass BugCisco NFV Infrastructure Software Users Urged to Patch Immediately
Cisco has released an urgent software update to fix a critical authentication bug, that can allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.
"There are no workarounds that address this vulnerability," says Cisco.
The bug, assigned CVE-2021-34746 with a CVSS score of 9.8, has been rated critical. The vulnerability affects the TACACS+ authentication, authorization and accounting feature of Cisco Enterprise NFV Infrastructure Software.
Cisco Enterprise NFV Infrastructure Software enables customers to deploy virtual network functions to be managed independently and to be provisioned dynamically. NFVIS also helps to virtualize Cisco branch network services, such as Integrated Services Virtual Router, virtual WAN optimization, Virtual ASA, virtual Wireless LAN Controller, and Next-Generation Virtual Firewall.
The vulnerability was discovered by Cyrille Chatras, a security researcher at Orange Group. Cisco on Wednesday released software updates that address this vulnerability, which affects Cisco Enterprise NFVIS Release 4.5.1 if the TACACS external authentication method is configured.
A spokesperson for Cisco was not immediately available to comment.
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday issued an urgent notification to users and administrators asking them to review the Cisco advisory and apply the necessary update.
Cisco says the vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script.
"An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device," according to the Cisco advisory.
To identify if a TACACS external authentication feature is enabled on a device, users are required to use the show running-config tacacs-server command.
Cisco also shared an example of the output of the show running-config tacacs-server command on Cisco Enterprise NFVIS when TACACS external authentication is enabled.
"If the output of the show running-config tacacs-server command is No entries found, the TACACS external authentication feature is not enabled. Alternatively, check the configuration through the GUI. Choose Configuration > Host > Security > User and Roles," Cisco notes.
However, if TACACS+ host is defined under External Authentication, the device is considered to be vulnerable, researchers say. "Configurations that are using RADIUS or local authentication only are not affected."
Cisco's Product Security Incident Response Team claims it is aware of a proof-of-concept exploit code available for the vulnerability, but it says it is not aware of any malicious use of the vulnerability described in the advisory.