Networking and hardware company Cisco asked its users to update their networking software immediately, citing critical security vulnerabilities in its products, including software-defined networking for wide-area networks (SD-WAN), Dynamic Network Analysis (DNA), and the Smart Software Manager Satellite. Cisco stated that these vulnerabilities are critical and need immediate action. Threat actors could exploit the flaws to launch command injection attacks and take over the root privileges on the affected devices.
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software
Multiple Command Injection vulnerabilities tracked as CVE-2021-1260, CVE-2021-1261, CVE-2021-1262; and Buffer Overflow vulnerabilities CVE-2021-1300, CVE-2021-1301 in Cisco SD-WAN products could allow a remote attacker to execute attacks on compromised devices.
- CVE-2021-1260 – This is a Command Injection vulnerability in the CLI of Cisco SD-WAN Software that could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands. These arbitrary commands could allow the attacker to obtain root privileges and read, write, and delete files of the underlying file system of an affected device.
- CVE-2021-1261- This Command Injection vulnerability in the CLI utility tcpdump of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges.
- CVE-2021-1262- The vulnerability exists in the CLI of Cisco SD-WAN Software and could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands.
- CVE-2021-1300- A Buffer Overflow vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.
- CVE-2021-1301- Another Buffer Overflow flaw in the NETCONF subsystem of Cisco SD-WAN Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or system.
Cisco has released security updates to fix all the vulnerabilities, as there are no workarounds to address these flaws.
“The vulnerabilities are not dependent on one another. The exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability,” Cisco said.