CVE-2021-34746 – This critical authentication bypass vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-34746?

CVE-2021-34746 has a CVSS score of 9.8 (CRITICAL). This critical authentication bypass vulnerability in Cisco NFVIS allows unauthenticated remote attackers to gain administrator access by injecting parameters into TACACS+ authentication requests. It affects Cisco Enterprise NFV Infrastructure Software deployments using TACACS+ authentication. Organizations running vulnerable NFVIS versions are at immediate risk.

📋 TL;DR

This critical authentication bypass vulnerability in Cisco NFVIS allows unauthenticated remote attackers to gain administrator access by injecting parameters into TACACS+ authentication requests. It affects Cisco Enterprise NFV Infrastructure Software deployments using TACACS+ authentication. Organizations running vulnerable NFVIS versions are at immediate risk.

💻 Affected Systems

Products:

Cisco Enterprise NFV Infrastructure Software (NFVIS)

Versions: All versions prior to 4.7.1

Operating Systems: Cisco NFVIS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with TACACS+ authentication enabled. Systems using local authentication or other AAA methods are not vulnerable.

📦 What is this software?

Enterprise Nfv Infrastructure Software by Cisco

View all CVEs affecting Enterprise Nfv Infrastructure Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of NFVIS infrastructure allowing attacker to deploy malicious virtual network functions, intercept network traffic, pivot to other systems, and disrupt critical network services.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, data exfiltration, and potential lateral movement within the network environment.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and compensating controls prevent exploitation or contain damage.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication, making internet-facing deployments extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, this provides unauthenticated administrative access to critical infrastructure components.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to TACACS+ service (TCP/49) and knowledge of vulnerable parameter injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NFVIS 4.7.1 and later

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download NFVIS 4.7.1 or later from Cisco Software Center. 3. Upload and install the update via NFVIS web interface or CLI. 4. Reboot the system after installation completes.

🔧 Temporary Workarounds

Disable TACACS+ Authentication

cisco-nfvis

Temporarily disable TACACS+ authentication and use local authentication until patching can be completed.

configure terminal
no aaa authentication login default group tacacs+ local
end
write memory

Restrict TACACS+ Network Access

cisco-nfvis

Implement network ACLs to restrict access to TACACS+ service (TCP/49) only from trusted management stations.

configure terminal
access-list 100 permit tcp TRUSTED_IP MASK any eq 49
access-list 100 deny tcp any any eq 49
interface MANAGEMENT_INTERFACE
ip access-group 100 in
end
write memory

🧯 If You Can't Patch

Implement strict network segmentation to isolate NFVIS systems from untrusted networks
Enable comprehensive logging and monitoring for authentication attempts and administrative activities

🔍 How to Verify

Check if Vulnerable:

Check NFVIS version with 'show version' command. If version is earlier than 4.7.1 and TACACS+ is enabled, system is vulnerable.

Check Version:

show version | include Version

Verify Fix Applied:

After patching, verify version is 4.7.1 or later with 'show version' and test TACACS+ authentication with proper credentials.

📡 Detection & Monitoring

Log Indicators:

Failed TACACS+ authentication attempts with unusual parameters
Successful authentication from unexpected IP addresses
Administrative login events without proper credential validation

Network Indicators:

Unusual TACACS+ traffic patterns
Authentication requests containing special characters or parameter injections
Multiple authentication attempts from single source

SIEM Query:

source="nfvis" AND (event_type="authentication" AND (result="success" AND source_ip NOT IN [trusted_ips]) OR (message="*parameter*" OR message="*injection*"))

📊 Metadata

CVE ID: CVE-2021-34746

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-289

Published: September 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664 Exploit,Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh Vendor Advisory
https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664 Exploit,Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34746, you might also want to check these: