Cyber Security

Cisco urges users to patch critical vulnerability in virtualized network devices after PoC is made public

A critical vulnerability in a Cisco product designed to help service providers and enterprises deploy virtualized networks can allow unauthenticated actors to bypass authentication.

The security flaw, which was assigned a near-maximum CVSS score of 9.8, is present in the TACACS+ authentication, authorization, and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS).

Cisco Enterprise NFVIS “helps dynamically deploy virtualized network functions” such as a virtual router, firewall, and WAN acceleration, on a supported Cisco device.

The critical vulnerability, which was found by Cyrille Chatras of Orange Group, can enable a remote, unauthenticated attacker to bypass authentication checks and log in as an administrator on an affected device.

Patch immediately

security advisory from Cisco explains that the vulnerability is present due to incomplete validation of user-supplied input that is passed to an authentication script.

“An attacker could exploit this vulnerability by injecting parameters into an authentication request,” it reads, bypassing such request and logging into the device.

The vulnerability affects Cisco Enterprise NFVIS Release 4.5.1 if the TACACS external authentication method is configured.

Cisco is urging users to updated to the latest version as soon as possible to protect against the issue, as a proof-of-concept exploit has allegedly already been made public.

Source: https://portswigger.net/daily-swig/cisco-urges-users-to-patch-critical-vulnerability-in-virtualized-network-devices-after-poc-is-made-public

Click to comment

You May Also Like

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version