#VU51734 Improper Privilege Management in Cisco Systems, Inc products - CVE-2021-1371
Published: March 25, 2021
Vulnerability identifier: #VU51734
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-1371
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco ASR 1000 Series Aggregation Services Routers
Cisco Cloud Services Router 1000V Series
Cisco 4000 Series Integrated Services Routers
Cisco 1000 Series Integrated Services Routers
Cisco IOS XE
Cisco ASR 1000 Series Aggregation Services Routers
Cisco Cloud Services Router 1000V Series
Cisco 4000 Series Integrated Services Routers
Cisco 1000 Series Integrated Services Routers
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management within the role-based access control of Cisco IOS XE SD-WAN Software. A local user with read-only privileges can obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration.
Successful exploitation of the vulnerability may allow a user with read-only permissions to access administrative privileges.
Remediation
Install updates from vendor's website.