Improper access control in Cisco IOS XR - CVE-2021-1243
Published: February 4, 2021 / Updated: February 5, 2021
Vulnerability identifier: #VU50375
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-1243
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XR
Cisco IOS XR
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software. A remote non-authenticated attacker can bypass implemented security restrictions and connect to SNMP server despite the management plane protection.
Remediation
Install updates from vendor's website.