Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0241 Cisco SD-WAN multiple vulnerabilities 21 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco SD-WAN Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-1301 CVE-2021-1300 CVE-2021-1299 CVE-2021-1298 CVE-2021-1279 CVE-2021-1278 CVE-2021-1274 CVE-2021-1273 CVE-2021-1263 CVE-2021-1262 CVE-2021-1261 CVE-2021-1260 CVE-2021-1241 CVE-2021-1233 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-infodis-2-UPO232DG Comment: This bulletin contains four (4) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco SD-WAN Buffer Overflow Vulnerabilities Priority: Critical Advisory ID: cisco-sa-sdwan-bufovulns-B5NrSHbj First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi69895 CSCvt11525 CVE Names: CVE-2021-1300 CVE-2021-1301 CWEs: CWE-119 CWE-20 CVSS Score: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco products if they are running a vulnerable release of Cisco SD-WAN Software: IOS XE SD-WAN Software SD-WAN vBond Orchestrator Software SD-WAN vEdge Cloud Routers SD-WAN vEdge Routers SD-WAN vManage Software SD-WAN vSmart Controller Software For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows: CVE-2021-1300: Cisco SD-WAN Buffer Overflow Vulnerability A vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition. The vulnerability is due to incorrect handling of IP traffic. An attacker could exploit this vulnerability by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvt11525 CVE ID: CVE-2021-1300 Security Impact Rating (SIR): High CVSS Base Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-1301: Cisco SD-WAN Buffer Overflow Vulnerability A vulnerability in the NETCONF subsystem of Cisco SD-WAN Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or system. The vulnerability is due to insufficient input validation of user-supplied input that is read by the system during the establishment of an SSH connection. An attacker could exploit this vulnerability by submitting a crafted file to be read by the affected system. A successful exploit could allow the attacker to cause a buffer overflow that could result in a DoS condition on the affected device or system . Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvi69895 CVE ID: CVE-2021-1301 Security Impact Rating (SIR): Medium CVSS Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdwan-abyp-TnGFHrS : Cisco SD-WAN vManage Authorization Bypass Vulnerabilities cisco-sa-sdwan-bufovulns-B5NrSHbj : Cisco SD-WAN Buffer Overflow Vulnerabilities cisco-sa-sdwan-cmdinjm-9QMSmgcn : Cisco SD-WAN Command Injection Vulnerabilities cisco-sa-sdwan-dosmulti-48jJuEUP : Cisco SD-WAN Denial of Service Vulnerabilities SD-WAN Software Cisco First Fixed Release First Fixed Release for All SD-WAN for These Vulnerabilities Described in the Releases Vulnerabilities Collection of Advisories Earlier Migrate to a fixed Migrate to a fixed release. than 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 18.4.5 Migrate to a fixed release. 19.2 19.2.2 Migrate to a fixed release. 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.1 Migrate to a fixed release. 20.3 20.3.1 20.3.2 20.4 20.4.1 20.4.1 IOS XE SD-WAN Software Cisco IOS XE First Fixed Release First Fixed Release for All SD-WAN for These Vulnerabilities Described in the Releases Vulnerabilities Collection of Advisories 16.9 Migrate to a fixed Migrate to a fixed release. release. 16.10 Migrate to a fixed Migrate to a fixed release. release. 16.11 Migrate to a fixed Migrate to a fixed release. release. 16.12 16.12.4 16.12.4 IOS XE Software Cisco IOS XE First Fixed Release First Fixed Release for All Universal for These Vulnerabilities Described in the Releases Vulnerabilities Collection of Advisories 17.2 17.2.1 17.2.2 17.3 17.3.1 17.3.1 17.4 17.4.1 17.4.1 Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found by James Spadaro of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN Command Injection Vulnerabilities Priority: Critical Advisory ID: cisco-sa-sdwan-cmdinjm-9QMSmgcn First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi59635 CSCvi59639 CSCvi69982 CSCvm26011 CSCvu28387 CSCvu28443 CVE Names: CVE-2021-1260 CVE-2021-1261 CVE-2021-1262 CVE-2021-1263 CVE-2021-1298 CVE-2021-1299 CWEs: CWE-20 Summary o Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco products if they are running a vulnerable release of Cisco SD-WAN Software: SD-WAN vBond Orchestrator Software SD-WAN vEdge Cloud Routers SD-WAN vEdge Routers SD-WAN vManage Software SD-WAN vSmart Controller Software For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect Cisco IOS XE SD-WAN Software. Details o The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities. Details about the vulnerabilities are as follows: CVE-2021-1299: Cisco SD-WAN vManage Command Injection Vulnerability A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected system. This vulnerability is due to improper input validation of user-supplied input to the device template configuration. An attacker could exploit this vulnerability by submitting crafted input to the device template configuration. A successful exploit could allow the attacker to gain root -level access to the affected system. This vulnerability affects only the Cisco SD-WAN vManage product. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu28387 CVE ID: CVE-2021-1299 Security Impact Rating (SIR): Critical CVSS Base Score: 9.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-1261: Cisco SD-WAN CLI Command Injection Vulnerability A vulnerability in the CLI utility tcpdump of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges. This vulnerability is due to insufficient validation of user-supplied input to the tcpdump command. An attacker could exploit this vulnerability by authenticating with a lower-privileged user account via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvi59639 CVE ID: CVE-2021-1261 Security Impact Rating (SIR): High CVSS Base Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-1260: Cisco SD-WAN CLI Command Injection Vulnerability A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges and read, write, and delete files of the underlying file system of an affected device. This vulnerability is due to insufficient validation of user-supplied input on the CLI. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvi59635 CVE ID: CVE-2021-1260 Security Impact Rating (SIR): High CVSS Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2021-1263: Cisco SD-WAN CLI Command Injection Vulnerability A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges and read, write, and delete files of the underlying file system of an affected device. This vulnerability is due to insufficient validation of user-supplied input on the CLI. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu28443 CVE ID: CVE-2021-1263 Security Impact Rating (SIR): Medium CVSS Base Score: 6.1 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVE-2021-1262: Cisco SD-WAN CLI Command Injection Vulnerability A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges and read files from the underlying file system of an affected device. This vulnerability is due to insufficient validation of user-supplied input on the CLI. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvi69982 CVE ID: CVE-2021-1262 Security Impact Rating (SIR): Medium CVSS Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-1298: Cisco SD-WAN vManage Command Injection Vulnerability A vulnerability in the vAnalytics feature of the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected system. This vulnerability is due to improper input validation of user-supplied input to the SSO configuration. An attacker could exploit this by submitting crafted input to the SSO configuration. A successful exploit could allow the attacker to gain root -level access to the system. The vAnalytics feature of Cisco SD-WAN vManage Software must be enabled for this vulnerability to be exploited. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvm26011 CVE ID: CVE-2021-1298 Security Impact Rating (SIR): Medium CVSS Base Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdwan-abyp-TnGFHrS : Cisco SD-WAN vManage Authorization Bypass Vulnerabilities cisco-sa-sdwan-bufovulns-B5NrSHbj : Cisco SD-WAN Buffer Overflow Vulnerabilities cisco-sa-sdwan-cmdinjm-9QMSmgcn : Cisco SD-WAN Command Injection Vulnerabilities cisco-sa-sdwan-dosmulti-48jJuEUP : Cisco SD-WAN Denial of Service Vulnerabilities Cisco First Fixed Release First Fixed Release for All SD-WAN for These Vulnerabilities Described in the Release Vulnerabilities Collection of Advisories Earlier Migrate to a fixed Migrate to a fixed release. than 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 Migrate to a fixed Migrate to a fixed release. release. 19.2 Migrate to a fixed Migrate to a fixed release. release. 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.2 Migrate to a fixed release. 20.3 20.3.2 20.3.2 20.4 20.4.1 20.4.1 Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o The following vulnerabilities were found during the resolution of a Cisco TAC support case: CVE-2021-1260 and CVE-2021-1261. The following vulnerabilities were found during internal security testing: James Spadaro of Cisco: CVE-2021-1262 Joseph Connor of Cisco: CVE-2021-1263 Andrew Kim of Cisco: CVE-2021-1298 Alex Lumsden of Cisco: CVE-2021-1299 Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN Denial of Service Vulnerabilities Priority: High Advisory ID: cisco-sa-sdwan-dosmulti-48jJuEUP First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq20708 CSCvt11522 CSCvt11523 CSCvt11530 CSCvu28409 CSCvu31763 CVE Names: CVE-2021-1241 CVE-2021-1273 CVE-2021-1274 CVE-2021-1278 CVE-2021-1279 CWEs: CWE-119 CWE-20 CWE-787 Summary o Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP Affected Products o Vulnerable Products These vulnerabilities may affect the following Cisco products if they are running a vulnerable release of Cisco SD-WAN Software: IOS XE SD-WAN Software SD-WAN vBond Orchestrator Software SD-WAN vEdge Cloud Routers SD-WAN vEdge Routers SD-WAN vManage Software SD-WAN vSmart Controller Software See the Details section of this advisory for information on vulnerable products for each vulnerability. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect Cisco IOS XE universal image releases 17.2.1r and later. Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows. CVE-2021-1241: Cisco SD-WAN vEdge Router VPN Denial of Service Vulnerability A vulnerability in VPN tunneling features of Cisco SD-WAN vEdge Routers could allow an unauthenticated, remote attacker to cause a DoS condition on an affected system. The vulnerability is due to insufficient handling of malformed packets. An attacker could exploit this vulnerability by sending crafted packets through an affected device. A successful exploit could allow the attacker to cause the device to reboot, resulting in a DoS condition on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu31763 CVE ID: CVE-2021-1241 Security Impact Rating (SIR): High CVSS Base Score: 8.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-1273: Cisco SD-WAN IPSec Denial of Service Vulnerability A vulnerability in the IPSec tunnel management of Cisco SD-WAN vBond Orchestrator Software, Cisco SD-WAN vEdge Cloud Routers, Cisco SD-WAN vEdge Routers, Cisco SD-WAN vManage Software, and Cisco SD-WAN vSmart Controller Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected system. The vulnerability is due to the bounds checking in the forwarding plane of the IPSec tunnel management functionality. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 packets to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvu28409 CVE ID: CVE-2021-1273 Security Impact Rating (SIR): High CVSS Base Score: 8.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-1274: Cisco SD-WAN UDP Denial of Service Vulnerability A vulnerability in the UDP connection response of Cisco IOS XE SD-WAN, Cisco SD-WAN vBond Orchestrator Software, Cisco SD-WAN vEdge Cloud Routers, Cisco SD-WAN vEdge Routers, Cisco SD-WAN vManage Software, and Cisco SD-WAN vSmart Controller Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected system. The vulnerability is due to the presence of a null dereference in vDaemon. An attacker could exploit this vulnerability by sending crafted traffic to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvt11523 CVE ID: CVE-2021-1274 Security Impact Rating (SIR): High CVSS Base Score: 8.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-1278: Cisco SD-WAN Denial of Service Vulnerabilities Multiple vulnerabilities in the symbolic link (symlink) creation functionality of Cisco SD-WAN vBond Orchestrator Software, Cisco SD-WAN vEdge Cloud Routers, Cisco SD-WAN vEdge Routers, Cisco SD-WAN vManage Software, and Cisco SD-WAN vSmart Controller Software could allow an authenticated, local attacker to overwrite arbitrary files that are owned by the root user on the affected system. These vulnerabilities are due to the absence of validation checks for the input that is used to create symlinks. An attacker could exploit these vulnerabilities by creating a symlink to a target file on a specific path. A successful exploit could allow the attacker to corrupt the contents of the file. If the file is a critical systems file, the exploit could lead to a DoS condition on an affected system . To exploit these vulnerabilities, the attacker would need to have valid credentials on the system. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Bug ID(s): CSCvt11522 , CSCvt11530 CVE ID: CVE-2021-1278 Security Impact Rating (SIR): Medium CVSS Base Score: 6.7 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H CVE-2021-1279: Cisco SD-WAN SNMPv3 Denial of Service Vulnerability A vulnerability in the SNMPv3 management feature of Cisco SD-WAN vBond Orchestrator Software, Cisco SD-WAN vEdge Cloud Routers, Cisco SD-WAN vEdge Routers, Cisco SD-WAN vManage Software, and Cisco SD-WAN vSmart Controller Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected system. The vulnerability is due to insufficient input validation for the SNMPv3 management functionality. An attacker could exploit this vulnerability by sending crafted SNMPv3 traffic to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvq20708 CVE ID: CVE-2021-1279 Security Impact Rating (SIR): Medium CVSS Base Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s). To ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories: cisco-sa-sdwan-abyp-TnGFHrS : Cisco SD-WAN vManage Authorization Bypass Vulnerabilities cisco-sa-sdwan-bufovulns-B5NrSHbj : Cisco SD-WAN Buffer Overflow Vulnerabilities cisco-sa-sdwan-cmdinjm-9QMSmgcn : Cisco SD-WAN Command Injection Vulnerabilities cisco-sa-sdwan-dosmulti-48jJuEUP : Cisco SD-WAN Denial of Service Vulnerabilities SD-WAN Software Cisco First Fixed Release First Fixed Release for All SD-WAN for These Vulnerabilities Described in This Releases Vulnerabilities Collection of Advisories Earlier Migrate to a fixed Migrate to a fixed release. than 18.3 release. 18.3 Migrate to a fixed Migrate to a fixed release. release. 18.4 18.4.6 Migrate to a fixed release. 19.2 Migrate to a fixed Migrate to a fixed release. release. 19.3 Migrate to a fixed Migrate to a fixed release. release. 20.1 20.1.2 Migrate to a fixed release. 20.3 20.3.1 20.3.2 20.4 20.4.1 20.4.1 IOS XE SD-WAN Software Cisco IOS XE First Fixed Release First Fixed Release for All SD-WAN for These Vulnerabilities Described in This Releases Vulnerabilities Collection of Advisories 16.9 Migrate to a fixed Migrate to a fixed release. release. 16.10 Migrate to a fixed Migrate to a fixed release. release. 16.11 Migrate to a fixed Migrate to a fixed release. release. 16.12 16.12.4 16.12.4 Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o CVE-2021-1273: This vulnerability was found by Joseph Connor of Cisco during internal security testing. CVE-2021-1274: This vulnerability was found by Arthur Vidineyev of Cisco during internal security testing. CVE-2021-1278: This vulnerability was found by Andrew Kim of Cisco during internal security testing. CVE-2021-1279: This vulnerability was found during internal security testing. CVE-2021-1241: This vulnerability were found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco SD-WAN Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-sdwan-infodis-2-UPO232DG First Published: 2021 January 20 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi69962 CVE Names: CVE-2021-1233 CWEs: CWE-20 CVSS Score: 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to access sensitive information on an affected device. The vulnerability is due to insufficient input validation of requests that are sent to the iperf tool. An attacker could exploit this vulnerability by sending a crafted request to the iperf tool, which is included in Cisco SD-WAN Software. A successful exploit could allow the attacker to obtain any file from the filesystem of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-infodis-2-UPO232DG Affected Products o Vulnerable Products At the time of publication, this vulnerability affected the following Cisco products if they were running a release of Cisco SD-WAN Software earlier than Release 18.4.3: SD-WAN vBond Orchestrator Software SD-WAN vEdge Cloud Routers SD-WAN vEdge Routers SD-WAN vManage Software See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco SD-WAN Software releases 18.4.3 and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-infodis-2-UPO232DG Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2021-JAN-20 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAj/UONLKJtyKPYoAQiI1w/+K3Uj/JBvuMwzlXrILSJicmwSkQS9fZcW gQVIAkNf0M2ZqzNDjE0yNnNfFHeZkIOlYgh6a7cTA+41rxu8bC2waJJVaAbzGVkE YKSA9pygOXI6yxk1WUFDhrlvYG1IPwntloztiIYt8poInA5dh9ilc0KSvoZW9Lt+ S35AfQffmhCtGNPGVFUzyIvNByEXDwh6JBFV10NSzjyKZoPa1SpJQkJo7pJHUZV8 1esSEsBMOfIMSVXANiQJsUIVe/WbrhFOuc2jHpKjHOC5KskJwP3y2xaW4WCUA8K9 J+2m7UYBcDxN9r97krC/XKbRp2eVUjx2u5IVafJH0KR3s7I7Hk7WOHMxz+yoiuhk 3uCburV9mspwicUhzEBRLWj8/esgJjAUAyyvqvX6EhShykzWGaFQk9/rtlrOI7Ct HhVwJ/ydKBIKwZrsRg6/eOFsE/uECgYkLWo07AlAK3/URKuNF1AoUxbQIY0IXBQ3 w+4Ri7VnQvc8h9XZ6RAPv4CjiaEgt4RbYUApdYCiISD/w+lnNzpYzE7/V1hBRfQT 60KIXSnOPAqAg69fwZ7NViwHYgOJhseUOW6rHZuTNT68g5De7AELGHrDg8YQDCc3 Q58MV3WyLRBH7y7AeOL9+cnM0IskDKm+tb2BWocFMLB8Wff6FOiaXkZTSb42wT5z QIOdTbdJffU= =Az58 -----END PGP SIGNATURE-----