Cisco Warns On Critical Security Vulnerabilities In SD-WAN Software, So Update Now
Cisco is warning customers to update its networking software immediately, flagging four critical security vulnerabilities affecting SD-WAN, DNA, and the Smart Software Manager Satellite.
The Cisco SD-WAN has three command injection vulnerabilities that are tracked as CVE-2021-1260, CVE-2021-1261, and CVE-2021-1262. Collectively, they have a severity score of 9.9 out of 10. In other words, these are serious flaws and require immediate action. And that rating comes despite an attacker on the internet actually needing a valid password.
"Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device," Cisco notes.
SEE: Network security policy (TechRepublic Premium)
That severity rating could be due to its impact: "A successful exploit could allow the attacker to gain root-level access to the affected system," Cisco notes.
This issue affects Cisco's SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Cisco SD-WAN suffers from two other bugs with a severity score of 9.8, which are tracked as CVE-2021-1300 and CVE-2021-1301.
These nasties allow "an unauthenticated, remote attacker to execute attacks against an affected device", according to Cisco.
They affect IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
With a severity rating of 9.6, the Command Runner tool of Cisco DNA Center "could allow an authenticated, remote attacker to perform a command injection attack." It's tracked as CVE-2021-1264.
Again, the attacker needs a correct login, but leaky input validation by the Command Runner tool could "allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center," according to Cisco.
Finally, the Cisco Smart Software Manager Satellite Web user interface has a 9.8 severity bug because remote attackers can inject malicious commands into it even without a password.
The advisory consists of three distinct bugs, tracked as CVE-2021-1138, CVE-2021-1139, and CVE-2021-1140. These are bad bugs and warrant an immediate update, according to Cisco.
"An attacker could exploit these vulnerabilities by sending malicious HTTP requests to an affected device. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system," Cisco explained.
SEE: How do we stop cyber weapons from getting out of control?
The good news is that Cisco engineers found all but one of the critical vulnerabilities, while one was found by a customer that reported an issue. Cisco was not aware of any of the flaws being actively exploited.
Cisco published advisories for a total of 19 bugs in January, 2021. Besides the four critical vulnerabilities, there were nine high severity flaws, and 18 medium severity flaws.
Some customers may already be protected from these vulnerabilities because Cisco regularly pushes out releases with security fixes before it discloses security flaws.
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more