Cisco has addressed an almost maximum severity authentication bypass vulnerability in its Enterprise NFV Infrastructure Software (NFVIS). There is proof-of-concept (PoC) exploit code available in the public, which makes it more urgent for organizations to apply the patch. The bug, which is tracked as CVE-2021-34746, was found in the TACACS+ authentication, authorization, and accounting (AAA) of Cisco’s Enterprise NFV Infrastructure Software. The software is designed to help virtualize network services for easier management of virtual network functions. CVE-2021-34746 is caused by incomplete validation of user-supplied input passed to an authentication script during the sign-in process which allows unauthenticated, remote attackers to log into the unpatched device as an administrator.
Not all enterprise NFVIS devices are vulnerable to the attack, but any organization running these devices should check to see if they are vulnerable. Cisco stated that there is no workaround to remove the attack vector exposed by this flaw. The issue has been fixed in NFVIS releases 4.6.1 and later. Furthermore, the company stated that the PoC exploit code was available in the wild, but they are not aware of any active exploitation of the bug at this time.