ID

VAR-202102-0549


CVE

CVE-2021-1243


TITLE

Cisco IOS XR  Software access control vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-003116

DESCRIPTION

A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device. This vulnerability is due to incorrect LPTS programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by connecting to an affected device using SNMP. A successful exploit could allow the attacker to connect to the device on the configured SNMP ports. Valid credentials are required to execute any of the SNMP requests. Cisco IOS XR The software contains a vulnerability related to access control.Information may be tampered with

Trust: 1.8

sources: NVD: CVE-2021-1243 // JVNDB: JVNDB-2021-003116 // VULHUB: VHN-374297 // VULMON: CVE-2021-1243

AFFECTED PRODUCTS

vendor:ciscomodel:ios xrscope:eqversion:6.7.1

Trust: 1.0

vendor:ciscomodel:ios xrscope:gteversion:7.0.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.0.11

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.2.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:7.0.2

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.1.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:gtversion:6.1.1

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:6.6.4

Trust: 1.0

vendor:シスコシステムズmodel:cisco ios xrscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco ios xrscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-003116 // NVD: CVE-2021-1243

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1243
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1243
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-1243
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202102-246
value: HIGH

Trust: 0.6

VULHUB: VHN-374297
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1243
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-374297
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1243
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1243
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2021-1243
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374297 // JVNDB: JVNDB-2021-003116 // CNNVD: CNNVD-202102-246 // NVD: CVE-2021-1243 // NVD: CVE-2021-1243

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-284

Trust: 1.0

problemtype:Inappropriate access control (CWE-284) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-003116 // NVD: CVE-2021-1243

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-246

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-246

PATCH

title:cisco-sa-snmp-7MKrW7Nqurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-7MKrW7Nq

Trust: 0.8

title:Cisco IOS XR Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=141107

Trust: 0.6

title:Cisco: Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-snmp-7MKrW7Nq

Trust: 0.1

sources: VULMON: CVE-2021-1243 // JVNDB: JVNDB-2021-003116 // CNNVD: CNNVD-202102-246

EXTERNAL IDS

db:NVDid:CVE-2021-1243

Trust: 2.6

db:JVNDBid:JVNDB-2021-003116

Trust: 0.8

db:CNNVDid:CNNVD-202102-246

Trust: 0.6

db:VULHUBid:VHN-374297

Trust: 0.1

db:VULMONid:CVE-2021-1243

Trust: 0.1

sources: VULHUB: VHN-374297 // VULMON: CVE-2021-1243 // JVNDB: JVNDB-2021-003116 // CNNVD: CNNVD-202102-246 // NVD: CVE-2021-1243

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-snmp-7mkrw7nq

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-1243

Trust: 1.4

url:https://vigilance.fr/vulnerability/cisco-ios-xr-privilege-escalation-via-snmp-acl-bypass-34478

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/284.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/196142

Trust: 0.1

sources: VULHUB: VHN-374297 // VULMON: CVE-2021-1243 // JVNDB: JVNDB-2021-003116 // CNNVD: CNNVD-202102-246 // NVD: CVE-2021-1243

SOURCES

db:VULHUBid:VHN-374297
db:VULMONid:CVE-2021-1243
db:JVNDBid:JVNDB-2021-003116
db:CNNVDid:CNNVD-202102-246
db:NVDid:CVE-2021-1243

LAST UPDATE DATE

2024-08-14T13:54:14.084000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374297date:2022-09-20T00:00:00
db:VULMONid:CVE-2021-1243date:2021-02-08T00:00:00
db:JVNDBid:JVNDB-2021-003116date:2021-10-18T08:04:00
db:CNNVDid:CNNVD-202102-246date:2022-09-21T00:00:00
db:NVDid:CVE-2021-1243date:2023-11-07T03:27:46.503

SOURCES RELEASE DATE

db:VULHUBid:VHN-374297date:2021-02-04T00:00:00
db:VULMONid:CVE-2021-1243date:2021-02-04T00:00:00
db:JVNDBid:JVNDB-2021-003116date:2021-10-18T00:00:00
db:CNNVDid:CNNVD-202102-246date:2021-02-03T00:00:00
db:NVDid:CVE-2021-1243date:2021-02-04T17:15:14.700