Cisco Patches Critical Authentication Bug With Public Exploit

cisco patch DCNM

There’s proof-of-concept code out for the near-maximum critical – rated at 9.8 – authentication bypass bug, but Cisco hasn’t seen any malicious exploit yet.

Cisco has patched a near-max critical bug in its NFVIS software for which there’s a publicly available proof-of-concept (PoC) exploit.

On Wednesday, Cisco released patches for the flaw – an authentication bypass vulnerability in Enterprise NFV Infrastructure Software (NFVIS) that’s tracked as CVE-2021-34746.

Cisco Enterprise NFVIS is a Linux-based piece of infrastructure software that helps service providers and other customers to deploy virtualized network functions, such as virtual routers and firewalls, as well as WAN acceleration, on supported Cisco devices. It also provides automated provisioning and centralized management.

Infosec Insiders Newsletter

This vulnerability, which bumps up against the ceiling of maximum severity with a CVSS base score of 9.8, could allow an unauthenticated, remote attacker to bypass authentication and log in to a vulnerable device as admin.

“An attacker could exploit this vulnerability by injecting parameters into an authentication request,” Cisco explained in its security advisory. “A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.”

If TACACS Authentication Is On, You’re Vulnerable

The vulnerability is due to incomplete validation of user-supplied input that’s passed to an authentication script during sign-in. The flaw is found in Cisco Enterprise NFVIS Release 4.5.1 if the TACACS external authentication method – the authentication, authorization and accounting (AAA) feature of the software – is configured.

To check if a device is vulnerable to exploits of CVE-2021-34746, check whether the TACACS external authentication feature is toggled on. You can do that by using the “show running-config tacacs-server” command. Here’s an example that shows the output of that command if TACACS authentication is enabled:

nfvis# show running-config tacacs-server
tacacs-server host
key 0
shared-secret “example!23”
admin-priv 15
oper-priv 1

If the command displays “no entries found”, good news: TACACS is disabled.

Alternatively, users can check if TACACS authentication is on via the GUI: go to Configuration > Host > Security > User and Roles and check to see if the feature shows up under External Authentication.

Cisco said that configurations using RADIUS or local authentication only aren’t affected.

No Workarounds

There are no workarounds to mitigate this vulnerability. Patches to address the bug are available in Enterprise NFVIS releases 4.6.1 and later.

Cisco said that it’s aware of the publicly available PoC exploit code but that it hasn’t seen any successful malicious exploits at this point.

The exploit was discovered by Orange Group security researcher Cyrille Chatras, whom Cisco thanked in its advisory.

Still Waiting on a Patch for ADSM Zero-Day

A month ago, Cisco revealed that a remote code execution (RCE) vulnerability in its Adaptive Security Device Manager (ADSM) Launcher that it disclosed in July was a zero-day bug that still hasn’t been fixed.

That bug, tracked as CVE-2021-1585, has a CVSS base score of 7.5 and could allow RCE. The vulnerability is caused by improper signature verification for code exchanged between the ASDM – a firewall appliance manager that provides a web interface for managing Cisco Adaptive Security Appliance (ASA) firewalls and AnyConnect Secure Mobility clients – and the Launcher.

” A successful exploit could allow the attacker to execute arbitrary code on the user’s operating system with the level of privileges assigned to the ASDM Launcher,” Cisco said. “A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM.”

There are no workarounds available. The vulnerability affects Cisco ASDM releases 7.16(1.150) and earlier.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles