Details of VAR-202109-0622

ID

VAR-202109-0622

CVE

CVE-2021-34746

TITLE

Cisco Enterprise NFV Infrastructure Software Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-010328

DESCRIPTION

A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device. (DoS) It may be in a state. Cisco Enterprise NFV Infrastructure Software (NFVIS) is a set of NVF infrastructure software platform of Cisco (Cisco). The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.8

sources: NVD: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // VULHUB: VHN-394988 // VULMON: CVE-2021-34746

AFFECTED PRODUCTS

vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	lt	version:	4.6.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco enterprise nfv infrastructure software	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco enterprise nfv infrastructure software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-010328 // NVD: CVE-2021-34746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34746
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34746
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-34746
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202109-092
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-394988
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-34746
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-34746
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-394988
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-34746
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2021-34746
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746 // NVD: CVE-2021-34746

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.1
problemtype:	CWE-289	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-394988 // JVNDB: JVNDB-2021-010328 // NVD: CVE-2021-34746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-092

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202109-092

PATCH

title:	cisco-sa-nfvis-g2DMVVh	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh	Trust: 0.8
title:	Cisco Enterprise NFV Infrastructure Software Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=162143	Trust: 0.6
title:	Cisco: Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-nfvis-g2DMVVh	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-patches-critical-authentication-bug-with-public-exploit/169146/	Trust: 0.1
title:	BleepingComputer	url:	https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-authentication-bypass-bug-with-public-exploit/	Trust: 0.1

sources: VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34746	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-010328	Trust: 0.8
db:	CNNVD	id:	CNNVD-202109-092	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.2961	Trust: 0.6
db:	VULHUB	id:	VHN-394988	Trust: 0.1
db:	VULMON	id:	CVE-2021-34746	Trust: 0.1

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-nfvis-g2dmvvh	Trust: 2.5
url:	https://github.com/orangecertcc/security-research/security/advisories/ghsa-gqx8-c4xr-c664	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34746	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.2961	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-patches-critical-authentication-bug-with-public-exploit/169146/	Trust: 0.1

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746

SOURCES

db:	VULHUB	id:	VHN-394988
db:	VULMON	id:	CVE-2021-34746
db:	JVNDB	id:	JVNDB-2021-010328
db:	CNNVD	id:	CNNVD-202109-092
db:	NVD	id:	CVE-2021-34746

LAST UPDATE DATE

2024-08-14T15:27:37.458000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-394988	date:	2022-09-12T00:00:00
db:	VULMON	id:	CVE-2021-34746	date:	2021-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-010328	date:	2022-06-29T05:51:00
db:	CNNVD	id:	CNNVD-202109-092	date:	2022-04-24T00:00:00
db:	NVD	id:	CVE-2021-34746	date:	2023-11-07T03:36:17.353

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-394988	date:	2021-09-02T00:00:00
db:	VULMON	id:	CVE-2021-34746	date:	2021-09-02T00:00:00
db:	JVNDB	id:	JVNDB-2021-010328	date:	2022-06-29T00:00:00
db:	CNNVD	id:	CNNVD-202109-092	date:	2021-09-01T00:00:00
db:	NVD	id:	CVE-2021-34746	date:	2021-09-02T03:15:06.687