CISA Urges IT Teams To Address Critical Vulnerability Affecting Cisco Enterprise Network Function Virtualization Infrastructure Software

CISA released a note this week urging IT teams to update a Cisco system that has a critical vulnerability. 

The vulnerability affects Cisco Enterprise Network Function Virtualization Infrastructure Software Release (NFVIS) 4.5.1 and Cisco released software updates that address the vulnerability on Wednesday.

The vulnerability "could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator," according to Cisco. 

The vulnerability is in the TACACS+ authentication, authorization and accounting (AAA) feature of NFVIS. 

"This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device," Cisco said.

"There are no workarounds that address this vulnerability. To determine if a TACACS external authentication feature is enabled on a device, use the show running-config tacacs-server command." 

Cisco urged IT teams to contact the Cisco Technical Assistance Center or their contracted maintenance providers if they face any problems. 

"The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory," Cisco added, thanking Cyrille Chatras of Orange Group for reporting the vulnerability.

John Bambenek, threat intelligence advisor at Netenrich, said it is a "pretty major problem for Cisco NFV devices that highlights software engineers still struggle with input validation vulnerabilities that have plagued us for almost three decades." 

"Easy acquisition of administrative rights on any device should be concerning and organizations should take immediate steps to patch their devices," Bambenek added.