Description

Cisco has released security updates to fix a critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS), a solution that allows flexible management of virtual network functions. The fixed vulnerability affects the TACACS+ authentication, authorization and accounting (AAA) feature.

The fixed critical vulnerability is Authentication Bypass Vulnerability – CVE-2021-34746

Affected systems

Cisco Enterprise NFVIS release 4.5.1 with TACACS+ AAA feature configured.

Security Risks

A remote attacker can exploit this vulnerability by injecting parameters into an authentication request, which allows the malicious actor to circumvent the authentication and log in to an unpatched device as an administrator.

For the list of security patches released by Cisco, please refer to Cisco Security Advisories.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

a. Apply the required and latest security updates to all Cisco systems in use,

b. Before any update task, please ensure you have good backup that can easily be restored.

For further information and support, please contact NCSA by email to rwcsirt@ncsa.gov.rw or call us on 9009

Reference

•  https://bit.ly/3kR8OaT

•  https://bit.ly/3yMp8hX

•  https://bit.ly/3tebVh5