ID

VAR-202109-0622


CVE

CVE-2021-34746


TITLE

Cisco Enterprise NFV Infrastructure Software  Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-010328

DESCRIPTION

A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device. (DoS) It may be in a state. Cisco Enterprise NFV Infrastructure Software (NFVIS) is a set of NVF infrastructure software platform of Cisco (Cisco). The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.8

sources: NVD: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // VULHUB: VHN-394988 // VULMON: CVE-2021-34746

AFFECTED PRODUCTS

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:ltversion:4.6.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco enterprise nfv infrastructure softwarescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco enterprise nfv infrastructure softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-010328 // NVD: CVE-2021-34746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34746
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34746
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-34746
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202109-092
value: CRITICAL

Trust: 0.6

VULHUB: VHN-394988
value: HIGH

Trust: 0.1

VULMON: CVE-2021-34746
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-34746
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-394988
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-34746
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2021-34746
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746 // NVD: CVE-2021-34746

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.1

problemtype:CWE-289

Trust: 1.0

problemtype:Inappropriate authentication (CWE-287) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-394988 // JVNDB: JVNDB-2021-010328 // NVD: CVE-2021-34746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-092

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202109-092

PATCH

title:cisco-sa-nfvis-g2DMVVhurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh

Trust: 0.8

title:Cisco Enterprise NFV Infrastructure Software Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=162143

Trust: 0.6

title:Cisco: Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-nfvis-g2DMVVh

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-patches-critical-authentication-bug-with-public-exploit/169146/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-authentication-bypass-bug-with-public-exploit/

Trust: 0.1

sources: VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092

EXTERNAL IDS

db:NVDid:CVE-2021-34746

Trust: 3.4

db:JVNDBid:JVNDB-2021-010328

Trust: 0.8

db:CNNVDid:CNNVD-202109-092

Trust: 0.7

db:AUSCERTid:ESB-2021.2961

Trust: 0.6

db:VULHUBid:VHN-394988

Trust: 0.1

db:VULMONid:CVE-2021-34746

Trust: 0.1

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-nfvis-g2dmvvh

Trust: 2.5

url:https://github.com/orangecertcc/security-research/security/advisories/ghsa-gqx8-c4xr-c664

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-34746

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.2961

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/287.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/cisco-patches-critical-authentication-bug-with-public-exploit/169146/

Trust: 0.1

sources: VULHUB: VHN-394988 // VULMON: CVE-2021-34746 // JVNDB: JVNDB-2021-010328 // CNNVD: CNNVD-202109-092 // NVD: CVE-2021-34746

SOURCES

db:VULHUBid:VHN-394988
db:VULMONid:CVE-2021-34746
db:JVNDBid:JVNDB-2021-010328
db:CNNVDid:CNNVD-202109-092
db:NVDid:CVE-2021-34746

LAST UPDATE DATE

2024-08-14T15:27:37.458000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-394988date:2022-09-12T00:00:00
db:VULMONid:CVE-2021-34746date:2021-09-10T00:00:00
db:JVNDBid:JVNDB-2021-010328date:2022-06-29T05:51:00
db:CNNVDid:CNNVD-202109-092date:2022-04-24T00:00:00
db:NVDid:CVE-2021-34746date:2023-11-07T03:36:17.353

SOURCES RELEASE DATE

db:VULHUBid:VHN-394988date:2021-09-02T00:00:00
db:VULMONid:CVE-2021-34746date:2021-09-02T00:00:00
db:JVNDBid:JVNDB-2021-010328date:2022-06-29T00:00:00
db:CNNVDid:CNNVD-202109-092date:2021-09-01T00:00:00
db:NVDid:CVE-2021-34746date:2021-09-02T03:15:06.687