First published: Thu Sep 02 2021(Updated: )
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Enterprise NFV Infrastructure Software | <4.6.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-34746 is a vulnerability in the TACACS+ authentication, authorization, and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) that allows an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.
CVE-2021-34746 has a severity rating of 9.8 (critical).
Cisco Enterprise NFV Infrastructure Software (NFVIS) versions up to and excluding 4.6.1 are affected by CVE-2021-34746.
CVE-2021-34746 is associated with CWE-287 (Improper Authentication) and CWE-289 (Improper Verification of Cryptographic Signature).
For more information about CVE-2021-34746, you can refer to the following references: - GitHub Advisory: [https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664](https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664) - Cisco Security Advisory: [https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh)