Cisco has fixed five security vulnerabilities in its Software-Defined WAN (SD-WAN) Solution, two of which could allow an authenticated, local attacker to either gain root privileges on the underlying operating system or to inject arbitrary commands that are executed with root privileges.
While there is no indication that these flaw are being actively exploited, no workarounds addressing the vulnerabilities exist so upgrading to the Cisco SD-WAN Solution software release 19.2.2. is advised.
About the vulnerabilities
SD-WAN is a software-defined approach to managing the wide-area network (WAN), which allows companies to scale cloud-based applications across thousands of endpoints in the branch, campus, or SaaS and public cloud applications at distance.
CVE-2020-3265 is a privilege escalation vulnerability that can be exploited by sending a crafted request to an affected system. CVE-2020-3266 is a command injection vulnerability that can be exploited by submitting crafted input to the CLI (command line interface) utility. CVE-2020-3264 is a buffer overflow vulnerability that could be exploited by sending crafted traffic to an affected device, and ultimately lead to information disclosure or tampering with the underlying system.
All of these are considered to be high-risk, as they can only be exploited by local, authenticated attackers.
Cisco lists among the affected products (if they are running a vulnerable Cisco SD-WAN Solution software release):
- vBond Orchestrator Software
- vEdge 100 Series Routers
- vEdge 1000 Series Routers
- vEdge 2000 Series Routers
- vEdge 5000 Series Routers
- vEdge Cloud Router Platform
- vManage Network Management Software
- vSmart Controller Software
Two additional flaws have been patched in Cisco SD-WAN Solution vManage Software release 19.2.2:
- CVE-2019-16010, a cross-site scripting (XSS) vulnerability that could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information
- CVE-2019-16012, a SQL injection vulnerability that could allow the attacker to modify values on, or return values from, the underlying database as well as the operating system.
These are considered to be medium-risk for a variety of reasons: to exploit them, the attacker needs to authenticate to the system first and, in CVE-2019-16010’s case, persuade a user of the interface to click a crafted link. Also, these can’t be used to completely compromise the underlying system.