A patch for a critical security vulnerability in Cisco’s Enterprise Network Function Virtualization Infrastructure Software (NFVIS) has been released, however the danger of an attack is not yet over.
Classified as CVE-2021-34746, the vulnerability has a CVSS rating of 9.8 out of 10, which makes it a high-severity flaw. According to the available information, the vulnerability may let a remote attacker bypass authentication and log in to a susceptible device as an administrator, in this way gaining full control of the compromised system.
It’s noteworthy that enterprise-grade NFVIS installations are vulnerable to this attack only if TACACS external authentication method is enabled on the targeted device, which can be identified by executing the “show running-config tacacs-server” command. As per Cisco’s advisory, if the running-config tacacs-server output reports “No entries found,” the TACACS external authentication functionality is not active.
More details about the vulnerability reveal that an attacker may add parameters to a sign-in request by injecting user-supplied information that was not properly validated by the authentication script during the sign-in process. In its advisory, the network equipment company warned that a successful attack may enable the hacker to circumvent authentication and log in as an administrator to the compromised device.
In the published security advisory, Cisco has acknowledged that there is a publicly accessible proof-of-concept (PoC) attack code targeting the vulnerability. However, the company has reported that no in the wild weaponization attempts have been identified so far.
This patch for this vulnerability comes just a week after the company provided fixes to another high-severity security vulnerability tracked as CVE-2021-1577. The flaw was found in its Nexus 9000 Series Switches and could enable attackers to access or write random files on the compromised system.
Additionally, Cisco is preparing updates for a zero-day vulnerability (CVE-2021-1585) in the Adaptive Security Device Manager (ADSM) Launcher that may enable an unauthenticated, remote attacker to run arbitrary code on a user’s OS.