Cisco warns on critical security vulnerabilities in SD-WAN software, so update now

These nasties mean it's time to update.
Written by Liam Tung, Contributing Writer

Cisco is warning customers to update its networking software immediately, flagging four critical security vulnerabilities affecting SD-WAN, DNA, and the Smart Software Manager Satellite. 

The Cisco SD-WAN has three command injection vulnerabilities that are tracked as CVE-2021-1260, CVE-2021-1261, and CVE-2021-1262. Collectively, they have a severity score of 9.9 out of 10. In other words, these are serious flaws and require immediate action. And that rating comes despite an attacker on the internet actually needing a valid password. 

"Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device," Cisco notes. 

SEE: Network security policy (TechRepublic Premium)

That severity rating could be due to its impact: "A successful exploit could allow the attacker to gain root-level access to the affected system," Cisco notes

This issue affects Cisco's SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.

Cisco SD-WAN suffers from two other bugs with a severity score of 9.8, which are tracked as CVE-2021-1300 and CVE-2021-1301. 

These nasties allow "an unauthenticated, remote attacker to execute attacks against an affected device", according to Cisco

They affect IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software. 

With a severity rating of 9.6, the Command Runner tool of Cisco DNA Center "could allow an authenticated, remote attacker to perform a command injection attack." It's tracked as CVE-2021-1264. 

Again, the attacker needs a correct login, but leaky input validation by the Command Runner tool could "allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center," according to Cisco

Finally, the Cisco Smart Software Manager Satellite Web user interface has a 9.8 severity bug because remote attackers can inject malicious commands into it even without a password.

The advisory consists of three distinct bugs, tracked as CVE-2021-1138, CVE-2021-1139, and CVE-2021-1140. These are bad bugs and warrant an immediate update, according to Cisco. 

"An attacker could exploit these vulnerabilities by sending malicious HTTP requests to an affected device. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system," Cisco explained. 

SEE: How do we stop cyber weapons from getting out of control?

The good news is that Cisco engineers found all but one of the critical vulnerabilities, while one was found by a customer that reported an issue. Cisco was not aware of any of the flaws being actively exploited.

Cisco published advisories for a total of 19 bugs in January, 2021. Besides the four critical vulnerabilities, there were nine high severity flaws, and 18 medium severity flaws. 

Some customers may already be protected from these vulnerabilities because Cisco regularly pushes out releases with security fixes before it discloses security flaws. 

Editorial standards