CVE-2021-1442

Name of the Vulnerable Software and Affected Versions: Cisco IOS XE Software (affected versions not specified)

Description: The issue is related to insufficient protection of sensitive information in the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software. This could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user on an affected device. An attacker with low privileges could exploit this by issuing the diagnostic CLI show pnp profile when a specific PnP listener is enabled on the device, potentially obtaining a privileged authentication token to send crafted PnP messages and execute privileged commands.

Recommendations: For Cisco IOS XE Software, update to a version that includes the fix for this issue, as software updates have been released by Cisco to address this vulnerability. As a temporary workaround, consider disabling the PnP listener when not necessary to minimize the risk of exploitation. Restrict access to the diagnostic CLI show pnp profile to authorized personnel only.