Cisco has released an important security update for its Enterprise NFV Infrastructure Software (NFVIS). Remote attackers could abuse vulnerability CVE-2021-34746 (CVSS score 9.8 out of 10) to completely bypass the software’s authentication mechanisms and log in as an administrator on the device on which it is installed.
Cisco’s Advisory limits the attack options in the Advisory for CVE-2021-34746 a little. The is therefore vulnerable NFVIS version 4.5.1 – and only if the external Authentication via TACACS activated is. The weak point is in the “TACACS + authentication, authorization and accounting (AAA)” feature. NFVIS versions from 4.6.1 upwards are secured according to Cisco.
Check the TACACS configuration
The return of the command line command show running-config tacacs-server reveals according to the advisory whether the authentication method is active: If the command returns “No entries found”, TACACS is deactivated. Alternatively, you can also check the configuration via the GUI (Configuration> Host> Security> User and Roles> External Authentication). In both cases, the following applies: If a TACACS + host is defined, the device in question is vulnerable.
According to Cisco’s advisory on CVE-2021-34746, proof-of-concept code for attacks on the vulnerability is publicly available. However, it has not yet been observed that this was actually used actively for attacks.
Current “medium” advisories available
In addition to the security notice about the critical security gap, Cisco has other advisories and updates for other products, namely for the Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager, for Prime Collaboration Provisioning, the Identity Services Engine (ISE) and Nexus Insights released. The risk classification is “Medium” in each case. Cisco’s Security Center provides an overview of all advisories.