#VU51704 Inclusion of Sensitive Information in Log Files in Cisco Systems, Inc products - CVE-2021-1442
Published: March 24, 2021
Vulnerability identifier: #VU51704
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-1442
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco Catalyst 9800 Series Wireless Controllers
Cisco Catalyst 9600 Series Switches
Cisco Catalyst 9200 Series Switches
Cisco 1100 Series Industrial Integrated Services Routers
Cisco Catalyst 9400 Series Switches
Cisco Catalyst 9500 Series Switches
Cisco Catalyst 9300 Series Switches
Cisco 1000 Series Integrated Services Routers
Cisco 4000 Series Integrated Services Routers
Cisco Catalyst 3650 Series Switches
Cisco Cloud Services Router 1000V Series
Cisco ASR 1000 Series Aggregation Services Routers
Cisco IOS XE
Cisco Catalyst 9800 Series Wireless Controllers
Cisco Catalyst 9600 Series Switches
Cisco Catalyst 9200 Series Switches
Cisco 1100 Series Industrial Integrated Services Routers
Cisco Catalyst 9400 Series Switches
Cisco Catalyst 9500 Series Switches
Cisco Catalyst 9300 Series Switches
Cisco 1000 Series Integrated Services Routers
Cisco 4000 Series Integrated Services Routers
Cisco Catalyst 3650 Series Switches
Cisco Cloud Services Router 1000V Series
Cisco ASR 1000 Series Aggregation Services Routers
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software. A local low-privileged user can run the diagnostic CLI show pnp profile when a specific PnP listener is enabled on the device and obtain a privileged authentication token. This token can be used to send crafted PnP messages and execute privileged commands on the targeted system.
Remediation
Install updates from vendor's website.