cbcvebase.
CVE-2021-1619
published 2021-09-23

CVE-2021-1619: A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to…

PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
1.70%
74.3th percentile
A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected device Cause memory corruption that results in a denial of service (DoS) on an affected device This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device. A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.

Affected

265 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit traffic targets NETCONF or RESTCONF protocols on affected Cisco IOS XE devices; monitor for unauthenticated or anomalous NETCONF/RESTCONF requests from external/untrusted sources
  • NETCONF typically operates over TCP port 830 (SSH) and RESTCONF over TCP port 443 (HTTPS); alert on repeated unauthenticated or session-less NETCONF/RESTCONF connection attempts to Cisco IOS XE devices
  • Root cause is an uninitialized variable (CWE-824) in the AAA function; look for unexpected process crashes or memory corruption indicators on IOS XE devices correlating with NETCONF/RESTCONF activity
  • ·Vulnerability is only exploitable if NETCONF or RESTCONF is enabled on the device; verify whether these management interfaces are exposed, especially to untrusted networks
  • ·Workarounds exist per Cisco advisory; disabling NETCONF/RESTCONF on affected devices where not required is a viable mitigation until patching
  • ·Tracked under Cisco Bug ID CSCvt53563; use this identifier when querying Cisco's bug search tool or PSIRT for affected version ranges

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.