Issued: Tuesday, 28 September, 2021 |
Last Revision: Tuesday, 28 September, 2021 |
Vendor: |
Product: |
Severity Level: |
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.
This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request.
A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.
Description | CVE | CVSS3.0 Score |
Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability | CVE-2021-34746 | 9.8 |
Table 1:Vulnerability details
Vulnerability / CVE | Affected Product(s) |
CVE-2021-34746 | Enterprise NFVIS Release 4.5.1 (If the TACACS external authentication method is configured.) |
Table 2:Vulnerability versions
Cisco has released free software updates that address the vulnerability described in this Risk Directive.
Entities are advised to determine if a TACACS external authentication feature is enabled on a device, the license validity and support agreement before downloading and installing the software update.
In addition to above, entities should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release.
If the information is not clear, entities are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco fixed this vulnerability in Cisco Enterprise NFVIS releases 4.6.1 and later.