Cisco has resolved a critical authentication bypass bug with public proof-of-concept (PoC) exploit code that was used to target Enterprise NFV Infrastructure Software (NFVIS).
The security threat (CVE-2021-34746) was found in the TACACS+ authentication, authorization, and accountancy (AAA) of Cisco’s Enterprise NFV Infrastructure Software. The software was launched in 2016 and offered the flexibility to independently manage virtual network functions (VNFs) by virtualizing and abstracting virtual networks from the underlying hardware.
CVE-2021-34746 impacted the authentication stage during the sign-in process. The bug allowed remote attackers to bypass the authentication check and access the vulnerable device as an administrator.
However, not all Enterprise NFVIS devices are vulnerable to CVE-2021-34746. Only the devices with the TACACS external authentication method enabled were open to an attack facilitated by this bug.
The easiest way to check if a device is exposed to CVE-2021-34746 is to check if the TACACS external authentication feature is enabled in that device. The assessment can be done using the command line show running-config tacacs-server. If the TACACS isn’t active on that device, the result will be displayed as “no entries found.”
The alternative to this command line is using the GUI by clicking on Configuration > Host > Security > User and Roles. If the TACACS feature is enabled, you will find it under the External Authentication tab.
Cisco also declared that there are no remedies available to fix the attack vector exposed by CVE-2021-34746. However, the issue has been addressed in the later versions, including the Enterprise NFVIS version 4.6.1.
The company’s Product Security Incident Response Team (PSIRT) revealed that proof-of-concept exploit code is available, but they aren’t aware of any current exploitation.