Patched: Critical bug with public PoC exploit in Cisco infrastructure virtualization software (CVE-2021-34746)

A critical vulnerability (CVE-2021-34746) that affects Cisco Enterprise NFV Infrastructure Software (NFVIS) has been patched and Cisco is urging enterprise admins to quickly upgrade to a fixed version, as proof-of-concept exploit code is already available.

The bug could be exploited by remote attackers to bypass authentication and log in to an affected device as an administrator.

About the vulnerability (CVE-2021-34746)

“Linux-based infrastructure software designed to help service providers and enterprises to design, deploy and manage network services. Cisco Enterprise NFVIS helps dynamically deploy virtualized network functions, such as a virtual router, firewall, and WAN accelerator on supported Cisco devices,” Cisco explains.

The solutions allows enterprises to “virtualize network services and applications at the branch similar to how servers have been virtualized in the data center and the cloud.”

CVE-2021-34746, which was reported by researcher Cyrille Chatras of Orange Group, is found in the software’s TACACS+ authentication, authorization and accounting feature, but is exploitable only if the TACACS external authentication method is configured.

The source of the flaw is incomplete validation of user-supplied input that is passed to an authentication script, meaning that an attacker can inject parameters into an authentication request to bypass the process altogether.

The vulnerability affects Cisco Enterprise NFVIS release 4.5.1, and has been fixed in releases 4.6.1 and later. Users should upgrade the software because there are no workarounds for mitigating the risk of exploitation.

But even if proof-of-concept exploit code is available, there’s no need for panic, as there is currently no evidence of the flaw being exploited by malicious actors.

To check whether your installation is vulnerable, follow the instructions provided by Cisco.