CVE Vulnerabilities

CVE-2021-1522

Weak Password Requirements

Published: Aug 04, 2021 | Modified: Aug 11, 2021
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements.

Weakness

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Affected Software

Name Vendor Start Version End Version
Connected_mobile_experiences Cisco 10.6.2 10.6.2
Connected_mobile_experiences Cisco 10.6.0 10.6.0
Connected_mobile_experiences Cisco 10.6.1 10.6.1
Connected_mobile_experiences Cisco 10.6.3 10.6.3

Potential Mitigations

  • A product’s design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:

  • Depending on the threat model, the password policy may include several additional attributes.

  • See NIST 800-63B [REF-1053] for further information on password requirements.

References