Orange Group security researcher Cyrille Chatras discovered a vulnerability in the TACACS+ authentication, authorization, and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS).
Fixed software
Cisco released software updates for a critical authentication bypass vulnerability in Enterprise NFV Infrastructure Software (NFVIS) for which proof-of-concept exploit code already exists.
This vulnerability, tracked as CVE-2021-34746 (CVSS score of 9.8), allows an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. It affects Cisco Enterprise NFVIS Release 4.5.1 if the TACACS external authentication method is configured.
According to Cisco’s announcement, customers may only install and expect support for software versions and feature sets for which they have purchased a license. The company also recommends its customers regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page.