Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2424 14 vulnerabilities ranked High or lower patched in Cisco SD-WAN products 16 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SD-WAN products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3468 CVE-2020-3437 CVE-2020-3406 CVE-2020-3405 CVE-2020-3401 CVE-2020-3388 CVE-2020-3387 CVE-2020-3385 CVE-2020-3381 CVE-2020-3379 CVE-2020-3372 CVE-2020-3369 CVE-2020-3351 CVE-2020-3180 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdw-dos-KWOdyHnB https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmpresc-SyzcS4kC https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdscred-HfWWfqBj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fpdos-hORBfd9f https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vedgfpdos-PkqQrnwV https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clibypvman-sKcLf2L https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanxss-z7bhvHpy https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-emvman-3y6LuTcZ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmdirtrav-eFdAxsJg https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanwebid-5QWMcCvt https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmandowndir-CVGvdKM3 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanrce-4jtWT28P https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-v78FubGV https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanxml-Aj4GFEKd Comment: This bulletin contains fourteen Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco SD-WAN Solution Software Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-sdw-dos-KWOdyHnB First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvj14805 CVE-2020-3351 CWE-399 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper validation of fields in Cisco SD-WAN peering messages that are encapsulated in UDP packets. An attacker could exploit this vulnerability by sending crafted UDP messages to the targeted system. A successful exploit could allow the attacker to cause services on the device to fail, resulting in a DoS condition that could impact the targeted device and other devices that depend on it. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-sdw-dos-KWOdyHnB Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a Cisco SD-WAN Solution Software release earlier than Release 17.2.7 or 18.3.0: SD-WAN vBond Orchestrator Software SD-WAN vEdge 100 Series Routers SD-WAN vEdge 1000 Series Routers SD-WAN vEdge 2000 Series Routers SD-WAN vEdge 5000 Series Routers SD-WAN vEdge Cloud Router SD-WAN vManage Software SD-WAN vSmart Controller Software Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XE SD-WAN Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco SD-WAN Solution Software releases 17.2.7 and later and releases 18.3.0 and later. To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-sdw-dos-KWOdyHnB Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN Solution Software Privilege Escalation Vulnerability Priority: Medium Advisory ID: cisco-sa-vmpresc-SyzcS4kC First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi69987 CVE-2020-3379 CWE-264 CVSS Score: 5.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X Summary o A vulnerability in Cisco SD-WAN Solution Software could allow an authenticated, local attacker to elevate privileges to Administrator on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain administrative privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmpresc-SyzcS4kC Affected Products o Vulnerable Products At the time of publication, this vulnerability affected the following Cisco products if they were running Cisco SD-WAN Solution Software releases earlier than Release 18.3.0: SD-WAN vBond Orchestrator Software SD-WAN vEdge Routers SD-WAN vManage Software SD-WAN vSmart Controller Software See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN Solution Software releases 18.3.0 and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmpresc-SyzcS4kC Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN Solution Software Static Credentials Vulnerability Priority: High Advisory ID: cisco-sa-sdscred-HfWWfqBj First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi59720 CSCvi85074 CVE-2020-3180 CWE-264 CVSS Score: 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, local attacker to access an affected device by using an account that has a default, static password. This account has root privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to an affected system by using this account. A successful exploit could allow the attacker to log in by using this account with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-sdscred-HfWWfqBj Affected Products o Vulnerable Products This vulnerability affects the following Cisco products: SD-WAN vBond Orchestrator Software SD-WAN vEdge Routers SD-WAN vManage Software SD-WAN vSmart Controller Software For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco IOS XE SD-WAN Software or Cisco SD-WAN cEdge Routers. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability SD-WAN vBond, vEdge, and vSmart Software Cisco SD-WAN vBond, First Fixed First Fixed Release for All vEdge, or vSmart Release for This Vulnerabilities Described in the Software Release Vulnerability Collection of Advisories Earlier than 18.3 Migrate to a Migrate to a fixed release. fixed release. 18.3 18.3.6 Migrate to a fixed release. 18.4 Not affected. 18.4.5 19.2 Not affected. 19.2.3 19.3 Not affected. Migrate to a fixed release. 20.1 Not affected. 20.1.12 SD-WAN vManage Software Cisco SD-WAN First Fixed Release First Fixed Release for All vManage Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 18.4.5 Migrate to a fixed release. 19.2 19.2.2 19.2.3 19.3 Not affected. Migrate to a fixed release. 20.1 Not affected. Migrate to a fixed release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-sdscred-HfWWfqBj Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vEdge Routers Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-fpdos-hORBfd9f First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvs72669 CVE-2020-3369 CWE-118 CVSS Score: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the deep packet inspection (DPI) engine of Cisco SD-WAN vEdge Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper processing of FTP traffic. An attacker could exploit this vulnerability by sending crafted FTP packets through an affected device. A successful exploit could allow the attacker to make the device reboot continuously, causing a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-fpdos-hORBfd9f Affected Products o Vulnerable Products This vulnerability affects the following software releases for Cisco SD-WAN vEdge 5000 Series Routers and Cisco SD-WAN vEdge Cloud Router if they have the DPI feature enabled: 19.2.0 19.2.097 19.2.098 19.2.1 Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect releases 18.4 or earlier of Cisco SD-WAN vEdge 5000 Series Routers or Cisco SD-WAN vEdge Cloud Router. Cisco has also confirmed that this vulnerability does not affect the following Cisco products: IOS XE SD-WAN Software SD-WAN cEdge Routers SD-WAN vBond Orchestrator Software SD-WAN vEdge 100 Series Routers SD-WAN vEdge 1000 Series Routers SD-WAN vEdge 2000 Series Routers SD-WAN vManage Software SD-WAN vSmart Controller Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Cisco SD-WAN First Fixed Release First Fixed Release for All vEdge Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Not affected. Not affected. 18.4 Not affected. 18.4.5 19.2 19.2.2 19.2.3 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.1 20.1.12 Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Gil Fidel of Accenture Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-fpdos-hORBfd9f Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vEdge Routers Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-vedgfpdos-PkqQrnwV First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvs72674 CVE-2020-3385 CWE-371 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the deep packet inspection (DPI) engine of Cisco SD-WAN vEdge Routers could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient handling of malformed packets. An attacker could exploit this vulnerability by sending crafted packets through an affected device. A successful exploit could allow the attacker to cause the device to reboot, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vedgfpdos-PkqQrnwV Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable software release: SD-WAN vEdge 5000 Series Routers SD-WAN vEdge Cloud Routers For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS XE SD-WAN Software SD-WAN vBond Orchestrator Software SD-WAN vEdge 100 Series Routers SD-WAN vEdge 1000 Series Routers SD-WAN vEdge 2000 Series Routers SD-WAN vManage Software SD-WAN vSmart Controller Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Cisco SD-WAN First Fixed Release First Fixed Release for All vEdge Router for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 18.4.5 18.4.5 19.2 19.2.3 19.2.3 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.1 20.1.12 Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Gil Fidel of Accenture Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vedgfpdos-PkqQrnwV Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Command Injection Vulnerability Priority: High Advisory ID: cisco-sa-clibypvman-sKcLf2L First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvs11282 CVE-2020-3388 CWE-287 CVSS Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated to access the CLI. A successful exploit could allow the attacker to execute commands with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-clibypvman-sKcLf2L Affected Products o Vulnerable Products This vulnerability affects Cisco SD-WAN vManage Software releases. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS XE SD-WAN Software SD-WAN cEdge Routers SD-WAN vBond Orchestrator Software SD-WAN vEdge Routers SD-WAN vSmart Controller Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Cisco SD-WAN First Fixed Release First Fixed Release for All vManage Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 18.4.5 Migrate to a fixed release. 19.2 19.2.2 19.2.3 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.1 Migrate to a fixed release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Orange CERT/CC for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-clibypvman-sKcLf2L Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Cross-Site Scripting Vulnerability Priority: Medium Advisory ID: cisco-sa-vmanxss-z7bhvHpy First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt71038 CVE-2020-3406 CWE-79 CVSS Score: 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanxss-z7bhvHpy Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco SD-WAN vManage Software releases 19.2.2 and earlier. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN vManage Software Release 19.2.3 contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanxss-z7bhvHpy Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-emvman-3y6LuTcZ First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvo08423 CSCvs21703 CSCvt69529 CVE-2020-3372 CWE-400 Summary o A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to consume excessive system memory and cause a denial of service (DoS) condition on an affected system. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to the affected web-based management interface. A successful exploit could allow the attacker to exhaust system memory, which could cause the system to stop processing new connections and could result in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-emvman-3y6LuTcZ Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco vManage Software releases earlier than Release 19.2.3 and Release 20.1.12. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco vManage Software releases 19.2.3 and later and releases 20.1.12 and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-emvman-3y6LuTcZ Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Directory Traversal Vulnerability Priority: High Advisory ID: cisco-sa-vmdirtrav-eFdAxsJg First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt72764 CVE-2020-3381 CWE-22 CVSS Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the web management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct directory traversal attacks and obtain read and write access to sensitive files on a targeted system. The vulnerability is due to a lack of proper validation of files that are uploaded to an affected device. An attacker could exploit this vulnerability by uploading a crafted file to an affected system. An exploit could allow the attacker to view or modify arbitrary files on the targeted system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmdirtrav-eFdAxsJg Affected Products o Vulnerable Products This vulnerability affects Cisco SD-WAN vManage Software releases. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS XE SD-WAN Software SD-WAN cEdge Routers SD-WAN vBond Orchestrator Software SD-WAN vEdge Routers SD-WAN vSmart Controller Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Cisco SD-WAN First Fixed Release First Fixed Release for All vManage Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 Migrate to a fixed Migrate to a fixed release. release. 19.2 19.2.3 19.2.3 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 Migrate to a fixed Migrate to a fixed release. release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmdirtrav-eFdAxsJg Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-vmanwebid-5QWMcCvt First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt65026 CVE-2020-3437 CWE-59 CVSS Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web-based management interface. A successful exploit could allow the attacker to read arbitrary files from the filesystem of the underlying operating system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanwebid-5QWMcCvt Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco SD-WAN vManage Software releases earlier than Release 19.2.3. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN vManage Software releases 19.2.3 and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanwebid-5QWMcCvt Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Path Traversal Vulnerability Priority: Medium Advisory ID: cisco-sa-vmandowndir-CVGvdKM3 First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt74757 CVE-2020-3401 CWE-22 CVSS Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to the affected system. A successful exploit could allow the attacker to view arbitrary files on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmandowndir-CVGvdKM3 Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco SD-WAN vManage Software releases 19.2.2 and earlier. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN vManage Software Release 19.2.3 contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmandowndir-CVGvdKM3 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-vmanrce-4jtWT28P First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt70892 CVE-2020-3387 CWE-20 CVSS Score: 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute code with root privileges on an affected system. The vulnerability is due to insufficient input sanitization during user authentication processing. An attacker could exploit this vulnerability by sending a crafted response to the Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to access the software and execute commands they should not be authorized to execute. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanrce-4jtWT28P Affected Products o Vulnerable Products This vulnerability affects Cisco SD-WAN vManage Software releases if the Single Sign-On feature is enabled. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. To determine whether the Single Sign-On feature is enabled, choose the following path within the Cisco vManage settings: Administration > Settings > Identity Provider Settings . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS XE SD-WAN Software SD-WAN cEdge Routers SD-WAN vBond Orchestrator Software SD-WAN vEdge Routers SD-WAN vSmart Controller Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdw-dos-KWOdyHnB : Cisco SD-WAN Solution Software Denial of Service Vulnerability cisco-sa-sdscred-HfWWfqBj : Cisco SD-WAN Solution Software Static Credentials Vulnerability cisco-sa-vedgfpdos-PkqQrnwV : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-fpdos-hORBfd9f : Cisco SD-WAN vEdge Routers Denial of Service Vulnerability cisco-sa-clibypvman-sKcLf2L : Cisco SD-WAN vManage Software Command Injection Vulnerability cisco-sa-vmdirtrav-eFdAxsJg : Cisco SD-WAN vManage Software Directory Traversal Vulnerability cisco-sa-vmanrce-4jtWT28P : Cisco SD-WAN vManage Software Remote Code Execution Vulnerability Cisco SD-WAN First Fixed Release First Fixed Release for All vManage Software for This Vulnerabilities Described in the Release Vulnerability Collection of Advisories Earlier than Migrate to a fixed Migrate to a fixed release. 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 Migrate to a fixed Migrate to a fixed release. release. 19.2 19.2.3 19.2.3 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.1.1 Migrate to a fixed release. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanrce-4jtWT28P Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software SQL Injection Vulnerability Priority: Medium Advisory ID: cisco-sa-vmanage-v78FubGV First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvs21296 CVE-2020-3468 CWE-89 CVSS Score: 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanage-v78FubGV Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco SD-WAN vManage Software releases earlier than Release 19.2.2 and Release 20.1.1. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN vManage Software releases 19.2.2 and 20.1.1 contained the fix for this vulnerability. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanage-v78FubGV Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN vManage Software XML External Entity Vulnerability Priority: Medium Advisory ID: cisco-sa-vmanxml-Aj4GFEKd First Published: 2020 July 15 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvt72792 CSCvu35990 CVE-2020-3405 CWE-611 CVSS Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanxml-Aj4GFEKd Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco SD-WAN vManage Software releases 19.2.2 and earlier. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN vManage Software Release 19.2.3 contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Johnny Yu of Walmart Security for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-vmanxml-Aj4GFEKd Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUL-15 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXw/NyuNLKJtyKPYoAQgacg//aNay4Zx+K2WXmH7jmRmogmv+xegynnW/ UmBJB3yv0aaOHU6cYBRAuQUH1v8wfLiNNQCsuilg/n/VkyssT0Gqcy/2ZQ11H3t0 kV0KT0tjaahcFswhG+uuShHs9NVny835tnvazlVOhcdvCRTWKzJFIvcLnJsQWY6W 6EnrxXh5/5rp3zq7lAqFDroidKXNNXSge4ab8jvJvWNdeV43K4oQmftJe4PdScmd s6uWA/2eZR/Nar3cB1CFC2reRS9Z41M/AYsUKK1fkWKv2jTTo9o3or+wFZjV7DUw o2dTSutEooyh97Y/8nKZ6dYPwLPJnrUEzrgMXuiPN8vwWVosJJz6fM3PFTSuNx7C sCWx6RaDXjJHizAvpnBo5IZd0e2F8foMzR1WZgXZ2lngj5jD/z1TsEjbc/JqG8Qg 608XAAOQHnGcnvnn83pcEf+YK2+VjgN1TNMJUIKgI17wCo3YOh7jxFNqDroYQ0/k bPxrN+6W9Z4/pSpuRj/7J5NSD71ze29772d6A/10gGDqm7WOv6rrS8qBKiIdDinj Jv8MR306nnst86sxth+acaK3tvF8YwZqKv2vKozuS9TaOFXHCDyGbv4JiP0bhHdi 71NvNrJdVzuSnYYdaFzSYtHYPhv1Yp0S06+RM8XLiEMWwegBPzXNAK8Uvi7h/mTI kjecInU7Bng= =7RBo -----END PGP SIGNATURE-----