Cisco patches serious SD-WAN software security holes

Cisco has patched security vulnerabilities in four packages of SD-WAN Solution software that address buffer overflow, arbitrary file override and privilege access weaknesses that could have led to denial-of-service attacks or access problems.

The first patch, called “Critical” by Cisco, fixes a vulnerability in the vContainer of the Cisco SD-WAN Solution that could let an authenticated, remote attacker cause a denial of service (DoS) and execute arbitrary code as the root user, the company wrote in a security advisory. 

This vulnerability touches Cisco vSmart Controller Software running a release of the Cisco SD-WAN Solution prior to Release 18.4.0.

“The vulnerability is due to improper bounds checking by the vContainer. An attacker could exploit this vulnerability by sending a malicious file to an affected vContainer instance,” Cisco stated.

The twist here is that customer must request the fix from Cisco to get it. “There is no fixed software for Cisco customers to download and deploy for this vulnerability. Customers must engage their Cisco support contact to ensure the deployment of the latest software fix.”

{UPDATE: Cisco says it has updated this advisory to let customers know the fixed software has already been deployed by Cisco for this vulnerability. There is no action customers need to take. Cisco SD-WAN Solution Buffer Overflow Vulnerability (CVE-2019-1651) Cisco SD-WAN Solution Unauthorized Access Vulnerability (CVE-2019-1647).]

The second SD-WAN-related patch is again for Cisco SD-WAN Solution software. The “High” impact alert that could let an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. An attacker could exploit this vulnerability by modifying the “save” command in the Command Line Interface (CLI) of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system of an affected device and escalate their privileges to the root user, Cisco wrote in its security advisory.

The weakness impacts the following Cisco products running a release of the Cisco SD-WAN Solution prior to Release 18.4.0:

• vBond Orchestrator Software
• vEdge 100 Series Routers
• vEdge 1000 Series Routers
• vEdge 2000 Series Routers
• vEdge 5000 Series Routers
• vEdge Cloud Router Platform
• vManage Network Management Software
• vSmart Controller Software

A third security weakness affecting the same group of SD-WAN Solution products could let an authenticated, local attacker gain root-level privileges and take full control of the device.

“The vulnerability is due to a failure to properly validate certain parameters included within the group configuration. An attacker could exploit this vulnerability by writing a crafted file to the directory where the user group configuration is located in the underlying operating system,” Cisco wrote.

Also, in that same group of products, Cisco warned of “multiple” vulnerabilities in the local CLI of the Cisco SD-WAN Solution could let an authenticated, local attacker to escalate privileges and modify device configuration files. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device, Cisco wrote.

“The vulnerabilities exist because user input is not properly sanitized for certain commands at the CLI. An attacker could exploit these vulnerabilities by sending crafted commands to the CLI of an affected device,” Cisco stated.

Cisco says there are free updates available to fix the three high-priority SD-WAN vulnerabilities. Cisco Product Security Incident Response Team said it wasn’t aware of any actual malicious use of the vulnerabilities.

The SD-WAN security problems were part of 23 flaws Cisco announced on Jan. 23. Others included vulnerabilities in Cisco WebEx and FirePower firewalls.