Cisco SD-WAN Vulnerabilities Alert
Network Control Experiences Record 2018
January 22, 2019The Value Of Detailed Reporting And Analytics In Your Business
February 1, 2019By Tanya Seda
In our ongoing effort to keep our customers and friends informed of industry issues, we want to bring to your attention this Cisco SD-WAN vulnerability alert (it’s technical, but important!):
Cisco released patches for new security vulnerabilities in its SD-WAN software. Four vulnerabilities were found in it’s Viptela-based SD-WAN solution.
The most critical vulnerability was discovered in the vContainer of the SD-WAN that according to Cisco, allows an authenticated, remote attacker to cause a denial of service (DoS) condition and allow them to execute as the root user. This affects software running on Cisco SD-WAN versions prior to release 18.4.0.
Cisco also deployed patches for three other flaws in its SD-WAN software. These were each marked as “high impact.”
Cisco has stated, “The first of these high-impact vulnerabilities was traced to an insecure default configuration of the system. This affected the vSmart controller software versions running on top of a Cisco-hosted vController of the SD-WAN versions prior to release 18.4.0. The advisory from Cisco said that it would allow an authenticated, adjacent attacker to bypass authentication and gain direct, unauthorized access to other vSmart containers. This would enable to attacker to directly connect to exposed services and to retrieve or modify critical system files.”
“This was caused by failure to properly validate parameters included in the group configuration, which allowed attackers to gain elevated privileges on the affected device. According to the advisory, if exploited, this “could allow the attacker to gain root-level privileges and take full control of the device.
The final flaw was attributed to multiple vulnerabilities in the local command line interface (CLI) of the SD-WAN software. This affects the same devices as the previous flaw.”
It looks like the vulnerabilities were caused by user input not being properly sanitized for certain CLI commands, would allow attackers to escalate their privileges and modify device configuration files. Once the attacker gained access, they would’ve been able to send commands to the CLI and compromise the device or obtain configuration data from the device.
Bottom line: if you haven’t received or applied these patches yet, you’ll want to get on it right away!