CVE-2021-1391 - Active Debug Code

Severity

67%

Complexity

8%

Confidentiality

98%

A vulnerability in the dragonite debugger of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root privilege. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by bypassing the consent token mechanism with the residual scripts on the affected device. A successful exploit could allow the attacker to escalate from privilege level 15 to root privilege.

CVSS 3.1 Base Score 6.7. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Active Debug Code

CWE-489

Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:


               
</FORM>
<INPUT TYPE=SUBMIT>

Then a conforming link will look like:


               
http://TARGET/authenticate_login.cgi?username=...&password=...

An attacker can change this to:


               
http://TARGET/authenticate_login.cgi?username=&password=&debug=1

Which will grant the attacker access to the site, bypassing the authentication process.

Overview

Type

Cisco IOS

First reported 3 years ago

2021-03-24 20:15:00

Last updated 3 years ago

2021-03-30 11:40:00

Affected Software

Cisco IOS 12.2(6)I1

12.2\(6\)i1

Cisco IOS 15.0(2)SE13A

15.0\(2\)se13a

Cisco IOS 15.1(3)SVS

15.1\(3\)svs

Cisco IOS 15.2(5)E1

15.2\(5\)e1

Cisco IOS 15.2(5)E2

15.2\(5\)e2

Cisco IOS 15.2(5)E2C

15.2\(5\)e2c

Cisco IOS 15.2(5)EA

15.2\(5\)ea

Cisco IOS 15.2(5)EX

15.2\(5\)ex

Cisco IOS 15.2(5a)E

15.2\(5a\)e

Cisco IOS 15.2(5A)E1

15.2\(5a\)e1

Cisco IOS 15.2(5b)E

15.2\(5b\)e

Cisco IOS 15.2(5C)E

15.2\(5c\)e

Cisco IOS 15.2(6)E

15.2\(6\)e

Cisco IOS 15.2(6)E0A

15.2\(6\)e0a

Cisco IOS 15.2(6)E0C

15.2\(6\)e0c

Cisco IOS 15.2(6)E1

15.2\(6\)e1

Cisco IOS 15.2(6)E1A

15.2\(6\)e1a

Cisco IOS 15.2(6)E1S

15.2\(6\)e1s

Cisco IOS 15.2(6)E2

15.2\(6\)e2

Cisco IOS 15.2(6)E2A

15.2\(6\)e2a

Cisco IOS 15.2(6)E2B

15.2\(6\)e2b

Cisco IOS 15.2(6)E3

15.2\(6\)e3

Cisco IOS 15.2(6)EB

15.2\(6\)eb

Cisco IOS 15.2(7)E

15.2\(7\)e

Cisco IOS 15.2(7)E0A

15.2\(7\)e0a

Cisco IOS 15.2(7)E0B

15.2\(7\)e0b

Cisco IOS 15.2(7)E0s

15.2\(7\)e0s

Cisco IOS 15.2(7)E1

15.2\(7\)e1

Cisco IOS 15.2(7)E1A

15.2\(7\)e1a

Cisco IOS 15.2(7A)E0B

15.2\(7a\)e0b

Cisco IOS 15.2(7b)e0b

15.2\(7b\)e0b

Cisco IOS 15.3(3)JF13

15.3\(3\)jf13

Cisco IOS XE 3.9.2BE

3.9.2be

Cisco IOS XE 3.9.2E

3.9.2e

Cisco IOS XE 3.10.0CE

3.10.0ce

Cisco IOS XE 3.10.0E

3.10.0e

Cisco IOS XE 3.10.1AE

3.10.1ae

Cisco IOS XE 3.10.1E

3.10.1e

Cisco IOS XE 3.10.1SE

3.10.1se

Cisco IOS XE 3.10.2E

3.10.2e

Cisco IOS XE 3.10.3E

3.10.3e

Cisco IOS XE 3.11.0E

3.11.0e

Cisco IOS XE 3.11.1AE

3.11.1ae

Cisco IOS XE 3.11.1E

3.11.1e

Cisco IOS XE 3.11.3E

3.11.3e

Cisco IOS XE 16.8.1A

16.8.1a

Cisco IOS XE 16.8.1B

16.8.1b

Cisco IOS XE 16.8.1C

16.8.1c

Cisco IOS XE 16.8.1D

16.8.1d

Cisco IOS XE 16.8.1E

16.8.1e

Cisco IOS XE 16.8.1S

16.8.1s

Cisco IOS XE 16.8.2

16.8.2

Cisco IOS XE 16.8.3

16.8.3

Cisco IOS XE16.9.1

16.9.1

Cisco IOS XE 16.9.1A

16.9.1a

Cisco IOS XE 16.9.1B

16.9.1b

Cisco IOS XE 16.9.1C

16.9.1c

Cisco IOS XE 16.9.1D

16.9.1d

Cisco IOS XE 16.9.1S

16.9.1s

Cisco IOS XE 16.9.2

16.9.2

Cisco IOS XE 16.9.2A

16.9.2a

Cisco IOS XE 16.9.2S

16.9.2s

Cisco IOS XE 16.9.3

16.9.3

Cisco IOS XE 16.9.3A

16.9.3a

Cisco IOS XE 16.9.3H

16.9.3h

Cisco IOS XE 16.9.3S

16.9.3s

Cisco IOS XE 16.9.4C

16.9.4c

Cisco IOS XE 16.9.5

16.9.5

Cisco IOS XE 16.9.5F

16.9.5f

Cisco IOS XE 16.10.1

16.10.1

Cisco IOS XE 16.10.1A

16.10.1a

Cisco IOS XE 16.10.1B

16.10.1b

Cisco IOS XE 16.10.1C

16.10.1c

Cisco IOS XE 16.10.1D

16.10.1d

Cisco IOS XE 16.10.1E

16.10.1e

Cisco IOS XE 16.10.1F

16.10.1f

Cisco IOS XE 16.10.1G

16.10.1g

Cisco IOS XE 16.10.1S

16.10.1s

Cisco IOS XE 16.10.2

16.10.2

Cisco IOS XE 16.10.3

16.10.3

Cisco IOS XE 16.11.1

16.11.1

Cisco IOS XE 16.12.1

16.12.1

Cisco IOS XE 16.12.1Y

16.12.1y

Cisco IOS XE 16.12.2

16.12.2

Cisco IOS XE 16.12.2A

16.12.2a

Cisco IOS XE 17.1.1

17.1.1

References

20210324 Cisco IOS and IOS XE Software Privilege Escalation Vulnerability

20210324 Cisco IOS and IOS XE Software Privilege Escalation Vulnerability

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.