CISA urges IT teams to address critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software | ZDNet

CISA released a note this week urging IT teams to update a Cisco system that has a critical vulnerability. 

The vulnerability affects Cisco Enterprise Network Function Virtualization Infrastructure Software Release (NFVIS) 4.5.1 and Cisco released software updates that address the vulnerability on Wednesday.

The vulnerability “could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator,” according to Cisco. 

The vulnerability is in the TACACS+ authentication, authorization and accounting (AAA) feature of NFVIS. 

“This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device,” Cisco said.

“There are no workarounds that address this vulnerability. To determine if a TACACS external authentication feature is enabled on a device, use the show running-config tacacs-server command.” 

Cisco urged IT teams to contact the Cisco Technical Assistance Center or their contracted maintenance providers if they face any problems. 

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory,” Cisco added, thanking Cyrille Chatras of Orange Group for reporting the vulnerability.

John Bambenek, threat intelligence advisor at Netenrich, said it is a “pretty major problem for Cisco NFV devices that highlights software engineers still struggle with input validation vulnerabilities that have plagued us for almost three decades.” 

“Easy acquisition of administrative rights on any device should be concerning and organizations should take immediate steps to patch their devices,” Bambenek added.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.