Cisco has released security updates to address a critical pre-authentication remote code execution (RCE) vulnerability affecting SD-WAN vManage Software’s remote management component.
The company fixed two other high-severity security vulnerabilities in the user management (CVE-2021-1137) and system file transfer (CVE-2021-1480) functions of the same product allowing attackers to escalate privileges.
Successful exploitation of these two bugs could allow threat actors targeting them to obtain root privileges on the underlying operating system.
Code execution with root privileges
The critical security flaw tracked a CVE-2021-1479 received a severity score of 9.8/10. It allows unauthenticated, remote attackers to trigger a buffer overflow on vulnerable devices in low complexity attacks that don’t require user interaction.
“An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition,” Cisco explained.
“A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges.”
The vulnerabilities affect Cisco SD-WAN vManage releases 20.4 and earlier. Cisco has addressed them in the 20.4.1, 20.3.3, and 19.2.4 security updates published today and advises customers to migrate to a fixed release as soon as possible.
|Affected Cisco SD-WAN vManage releases||First fixed release|
|18.4 and earlier||Migrate to a fixed release.|
|19.3||Migrate to a fixed release.|
|20.1||Migrate to a fixed release.|
While CVE-2021-1479 was discovered found by Cisco security researchers during internal security testing, CVE-2021-1137 and CVE-2021-1480 were reported by external researchers.
No in-the-wild exploitation
Cisco’s Product Security Incident Response Team (PSIRT) said that the company is not aware of active exploitation of these vulnerabilities in the wild.
Today, Cisco also disclosed a critical RCE vulnerability (CVE-2021-1459) in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers. No security updates will be released since these devices have reached end-of-life.
The company fixed another pre-auth RCE vulnerability (CVE-2021-1300) affecting Cisco SD-WAN Software products in January 2021, enabling attackers to execute arbitrary code with root privileges after exploitation.
Two more critical pre-auth bugs found in Cisco SD-WAN software were addressed last year, in July.