Security updates have been released by Cisco addressing several critical remote code execution (RCE) vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software.
A. List of Vulnerabilities
Smart Software Manager Satellite Web UI Command Injection Vulnerabilities
– Allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.
SD-WAN Command Injection Vulnerabilities
– Allows an authenticated attacker to perform command injection attacks against an affected device, which subsequently allow the attacker to take certain actions with root privileges on the device.
SD-WAN Buffer Overflow Vulnerabilities
– Allows an unauthenticated, remote attacker to execute attacks against an affected device.
DNA Center Command Runner Command Injection Vulnerability
– Allows an authenticated, remote attacker to perform a command injection attack.
B. List of Vulnerable Systems/Devices
Vulnerable Cisco SD-WAN and Cisco Smart Software Manager Software are as follows:
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software
- DNA Center Software versions earlier than 18.104.22.168
- Smart Software Manager Satellite version 5.1.0 and earlier
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched versions of the affected Cisco product: