CVE-2021-1442 - Insertion of Sensitive Information into Log File

Severity

78%

Complexity

18%

Confidentiality

98%

A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user (level 15) on an affected device. The vulnerability is due to insufficient protection of sensitive information. An attacker with low privileges could exploit this vulnerability by issuing the diagnostic CLI show pnp profile when a specific PnP listener is enabled on the device. A successful exploit could allow the attacker to obtain a privileged authentication token. This token can be used to send crafted PnP messages and execute privileged commands on the targeted system.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.9. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Insertion of Sensitive Information into Log File

CWE-532

In the following code snippet, a user's full name and credit card number are written to a log file.


               
logger.info("Username: " + usernme + ", CCN: " + ccn);

Insertion of Sensitive Information into Log File

CWE-532

This code stores location information about the current user:


               
}...
Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());

When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.

Insertion of Sensitive Information into Log File

CWE-532

In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.


               
}

                     
return userAccount;
}
userAccount = (BankAccount)queryResult.getObject(accountNumber);
Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);

The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

Overview

Type

Cisco IOS

First reported 4 years ago

2021-03-24 20:15:00

Last updated 4 years ago

2021-03-30 18:24:00

Affected Software

Cisco IOS XE 3.6.5AE

3.6.5ae

Cisco IOS XE 3.6.5BE

3.6.5be

Cisco IOS XE 3.6.5E

3.6.5e

Cisco IOS XE 3.6.6E

3.6.6e

Cisco IOS XE 3.6.7AE

3.6.7ae

Cisco IOS XE 3.6.7BE

3.6.7be

Cisco IOS XE 3.6.7E

3.6.7e

Cisco IOS XE 3.6.8E

3.6.8e

Cisco IOS XE 3.6.9AE

3.6.9ae

Cisco IOS XE 3.6.9E

3.6.9e

Cisco IOS XE 3.6.10E

3.6.10e

Cisco IOS XE 3.7.5E

3.7.5e

Cisco IOS XE 3.8.2E

3.8.2e

Cisco IOS XE 3.8.5AE

3.8.5ae

Cisco IOS XE 3.8.5E

3.8.5e

Cisco IOS XE 3.8.7E

3.8.7e

Cisco IOS XE 3.8.8E

3.8.8e

Cisco IOS XE 3.8.9E

3.8.9e

Cisco IOS XE 3.8.10E

3.8.10e

Cisco IOS XE 3.9.2BE

3.9.2be

Cisco IOS XE 3.9.2E

3.9.2e

Cisco IOS XE 3.10.0CE

3.10.0ce

Cisco IOS XE 3.10.0E

3.10.0e

Cisco IOS XE 3.10.1AE

3.10.1ae

Cisco IOS XE 3.10.1E

3.10.1e

Cisco IOS XE 3.10.1SE

3.10.1se

Cisco IOS XE 3.10.2E

3.10.2e

Cisco IOS XE 3.10.3E

3.10.3e

Cisco IOS XE 3.11.0E

3.11.0e

Cisco IOS XE 3.11.1AE

3.11.1ae

Cisco IOS XE 3.11.1E

3.11.1e

Cisco IOS XE 3.13.10S

3.13.10s

Cisco IOS XE 3.16.0AS

3.16.0as

Cisco IOS XE 3.16.0BS

3.16.0bs

Cisco IOS XE 3.16.0cS

3.16.0cs

Cisco IOS XE 3.16.1AS

3.16.1as

Cisco IOS XE 3.16.1S

3.16.1s

Cisco IOS XE 3.16.2BS

3.16.2bs

Cisco IOS XE 3.16.4CS

3.16.4cs

Cisco IOS XE 3.16.4ES

3.16.4es

Cisco IOS XE 3.16.4GS

3.16.4gs

Cisco IOS XE 3.16.5AS

3.16.5as

Cisco IOS XE 3.16.5BS

3.16.5bs

Cisco IOS XE 3.16.7AS

3.16.7as

Cisco IOS XE 3.16.7BS

3.16.7bs

Cisco IOS XE 3.16.8S

3.16.8s

Cisco IOS XE 3.16.9S

3.16.9s

Cisco IOS XE 3.16.10S

3.16.10s

Cisco IOS XE 3.17.1AS

3.17.1as

Cisco IOS XE 3.17.2S

3.17.2s

Cisco IOS XE 3.18.0AS

3.18.0as

Cisco IOS XE 3.18.0S

3.18.0s

Cisco IOS XE 3.18.1GSP

3.18.1gsp

Cisco IOS XE 3.18.1HSP

3.18.1hsp

Cisco IOS XE 3.18.1ISP

3.18.1isp

Cisco IOS XE 3.18.3ASP

3.18.3asp

Cisco IOS XE 3.18.3BSP

3.18.3bsp

Cisco IOS XE 3.18.4S

3.18.4s

Cisco IOS XE 3.18.4SP

3.18.4sp

Cisco IOS XE 3.18.5SP

3.18.5sp

Cisco IOS XE 3.18.6SP

3.18.6sp

Cisco IOS XE 3.18.7SP

3.18.7sp

Cisco IOS XE 3.18.8SP

3.18.8sp

Cisco IOS XE 16.1.1

16.1.1

Cisco IOS XE 16.3.4

16.3.4

Cisco IOS XE 16.3.5

16.3.5

Cisco IOS XE 16.3.7

16.3.7

Cisco IOS XE 16.3.8

16.3.8

Cisco IOS XE 16.4.2

16.4.2

Cisco IOS XE 16.4.3

16.4.3

Cisco IOS XE 16.5.1

16.5.1

Cisco IOS XE 16.5.1B

16.5.1b

Cisco IOS XE 16.5.2

16.5.2

Cisco IOS XE 16.5.3

16.5.3

Cisco IOS XE 16.6.4

16.6.4

Cisco IOS XE 16.6.4A

16.6.4a

Cisco IOS XE 16.6.4S

16.6.4s

Cisco IOS XE 16.6.5A

16.6.5a

Cisco IOS XE 16.6.5B

16.6.5b

Cisco IOS XE 16.6.6

16.6.6

Cisco IOS XE 16.6.7A

16.6.7a

Cisco IOS XE 16.6.8

16.6.8

Cisco IOS XE 16.7.1A

16.7.1a

Cisco IOS XE 16.7.1B

16.7.1b

Cisco IOS XE 16.7.3

16.7.3

Cisco IOS XE 16.7.4

16.7.4

Cisco IOS XE 16.8.1A

16.8.1a

Cisco IOS XE 16.8.1B

16.8.1b

Cisco IOS XE 16.8.1C

16.8.1c

Cisco IOS XE 16.8.1D

16.8.1d

Cisco IOS XE 16.8.1E

16.8.1e

Cisco IOS XE 16.8.1S

16.8.1s

Cisco IOS XE 16.8.2

16.8.2

Cisco IOS XE 16.8.3

16.8.3

Cisco IOS XE16.9.1

16.9.1

Cisco IOS XE 16.9.1A

16.9.1a

Cisco IOS XE 16.9.1B

16.9.1b

Cisco IOS XE 16.9.1C

16.9.1c

Cisco IOS XE 16.9.1D

16.9.1d

Cisco IOS XE 16.9.1S

16.9.1s

Cisco IOS XE 16.9.2

16.9.2

Cisco IOS XE 16.9.2A

16.9.2a

Cisco IOS XE 16.9.2S

16.9.2s

Cisco IOS XE 16.9.3

16.9.3

Cisco IOS XE 16.9.3A

16.9.3a

Cisco IOS XE 16.9.3H

16.9.3h

Cisco IOS XE 16.9.3S

16.9.3s

Cisco IOS XE 16.9.4C

16.9.4c

Cisco IOS XE 16.9.5

16.9.5

Cisco IOS XE 16.9.5F

16.9.5f

Cisco IOS XE 16.10.1

16.10.1

Cisco IOS XE 16.10.1A

16.10.1a

Cisco IOS XE 16.10.1B

16.10.1b

Cisco IOS XE 16.10.1C

16.10.1c

Cisco IOS XE 16.10.1D

16.10.1d

Cisco IOS XE 16.10.1E

16.10.1e

Cisco IOS XE 16.10.1F

16.10.1f

Cisco IOS XE 16.10.1G

16.10.1g

Cisco IOS XE 16.10.1S

16.10.1s

Cisco IOS XE 16.10.2

16.10.2

Cisco IOS XE 16.10.3

16.10.3

Cisco IOS XE 16.11.1

16.11.1

Cisco IOS XE 16.12.1

16.12.1

Cisco IOS XE 16.12.1Y

16.12.1y

Cisco IOS XE 16.12.2

16.12.2

Cisco IOS XE 16.12.2A

16.12.2a

Cisco IOS XE 16.12.4

16.12.4

Cisco IOS XE 17.1.1

17.1.1

References

20210324 Cisco IOS XE Software Plug-and-Play Privilege Escalation Vulnerability

20210324 Cisco IOS XE Software Plug-and-Play Privilege Escalation Vulnerability

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.