CVE-2021-1572

ConfD CLI Secure Shell Server Privilege Escalation Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability in ConfD could allow an authenticated, local attacker to execute arbitrary commands at the level of the account under which ConfD is running, which is commonly root. To exploit this vulnerability, an attacker must have a valid account on an affected device. The vulnerability exists because the affected software incorrectly runs the SFTP user service at the privilege level of the account that was running when the ConfD built-in Secure Shell (SSH) server for CLI was enabled. If the ConfD built-in SSH server was not enabled, the device is not affected by this vulnerability. An attacker with low-level privileges could exploit this vulnerability by authenticating to an affected device and issuing a series of commands at the SFTP interface. A successful exploit could allow the attacker to elevate privileges to the level of the account under which ConfD is running, which is commonly root. Note: Any user who can authenticate to the built-in SSH server may exploit this vulnerability. By default, all ConfD users have this access if the server is enabled. Software updates that address this vulnerability have been released.

Una vulnerabilidad en ConfD, podría permitir a un atacante local autenticado ejecutar comandos arbitrarios al nivel de la cuenta bajo la que se ejecuta ConfD, que suele ser root. Para explotar esta vulnerabilidad, un atacante debe tener una cuenta válida en un dispositivo afectado. La vulnerabilidad se presenta porque el software afectado ejecuta incorrectamente el servicio de usuario SFTP en el nivel de privilegio de la cuenta que se estaba ejecutando cuando el servidor Secure Shell (SSH) integrado de ConfD para CLI estaba habilitado. Si el servidor SSH integrado de ConfD no estaba habilitado, el dispositivo no está afectado por esta vulnerabilidad. Un atacante con privilegios de bajo nivel podría explotar esta vulnerabilidad al autenticarse en un dispositivo afectado y emitiendo una serie de comandos en la interfaz SFTP. Una explotación con éxito podría permitir al atacante elevar los privilegios al nivel de la cuenta bajo la cual se ejecuta ConfD, que es comúnmente root. Nota: Cualquier usuario que pueda autenticarse en el servidor SSH incorporado puede explotar esta vulnerabilidad. Por defecto, todos los usuarios de ConfD presentan este acceso si el servidor está habilitado. Se han publicado actualizaciones de software que solucionan esta vulnerabilidad

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2020-11-13 CVE Reserved
2021-08-04 CVE Published
2023-03-08 EPSS Updated
2024-11-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-266: Incorrect Privilege Assignment
CWE-269: Improper Privilege Management

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confd-priv-esc-LsGtCRx4	2023-11-07
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-priv-esc-XXqRtTfT	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Confd Search vendor "Cisco" for product "Confd"				>= 7.4 <= 7.4.3 Search vendor "Cisco" for product "Confd" and version " >= 7.4 <= 7.4.3"		-		Affected
Cisco Search vendor "Cisco"		Confd Search vendor "Cisco" for product "Confd"				>= 7.5 <= 7.5.2 Search vendor "Cisco" for product "Confd" and version " >= 7.5 <= 7.5.2"		-		Affected
Cisco Search vendor "Cisco"		Network Services Orchestrator Search vendor "Cisco" for product "Network Services Orchestrator"				>= 5.4 <= 5.4.3.1 Search vendor "Cisco" for product "Network Services Orchestrator" and version " >= 5.4 <= 5.4.3.1"		-		Affected
Cisco Search vendor "Cisco"		Network Services Orchestrator Search vendor "Cisco" for product "Network Services Orchestrator"				>= 5.5 <= 5.5.2.2 Search vendor "Cisco" for product "Network Services Orchestrator" and version " >= 5.5 <= 5.5.2.2"		-		Affected