A critical vulnerability (CVE-2021-34746) that affects Cisco Enterprise NFV Infrastructure Software has been patched and Cisco is urging enterprise admins to quickly upgrade to a fixed version. The bug could be exploited by remote attackers to bypass authentication and log in to an affected device as an administrator.
Linux-based infrastructure software designed to help service providers and enterprises to design, deploy and manage network services. Cisco Enterprise NFVIS helps dynamically deploy virtualized network functions, such as a virtual router, firewall, and WAN accelerator on supported Cisco devices.
CVE-2021-34746 is found in the software’s TACACS+ authentication, authorization and accounting feature, but is exploitable only if the TACACS external authentication method is configured.
The source of the flaw is incomplete validation of user-supplied input that is passed to an authentication script, meaning that an attacker can inject parameters into an authentication request to bypass the process altogether.
The vulnerability affects Cisco Enterprise NFVIS release 4.5.1, and has been fixed in releases 4.6.1 and later. Users should upgrade the software because there are no workarounds for mitigating the risk of exploitation.