Cisco has patched eight Critical vulnerabilities in SD-WAN products, as well as fixes for multiple other network products.
An attacker could remotely exploit some of these vulnerabilities to take control of an impacted system.
SD-WAN vulnerabilities
Cisco patched eight Critical SD-WAN vulnerabilities on January 20, 2021 – six that address SD-WAN command injection vulnerabilities and two SD-WAN buffer overflow issues.
“Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device,” Cisco warned in the security advisory.
The six patched SD-WAN command injection vulnerabilities include: CVE-2021-1260, CVE-2021-1261, CVE-2021-1262, CVE-2021-1263, CVE-2021-1298, and CVE-2021-1299.
Cisco products vulnerable to these command injection flaws include:
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software.
In a second SD-WAN advisory, Cisco patched buffer overflow vulnerabilities CVE-2021-1300 and CVE-2021-1301 that could “allow an unauthenticated, remote attacker to execute attacks against an affected device.”
Cisco products vulnerable to these buffer overflow issues include:
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software
Other network product patches
In addition to SD-WAN patches, Cisco also addressed two other Critical vulnerabilities in Cisco products:
- Cisco DNA Center Command Runner Command Injection Vulnerability (CVE-2021-1264)
- Cisco Smart Software Manager Satellite Web UI Command Injection Vulnerabilities (CVE-2021-1138, CVE-2021-1139 and CVE-2021-1140).
Moreover, Cisco patched 8 other High severity vulnerabilities, to include a Cisco Secure Web Appliance privilege escalation vulnerability (CVE-2020-3367), DNA Center vulnerabilities (CVE-2021-1265 and CVE-2021-1257), Cisco Data Center Network Manager (CVE-2021-1272) and other products.
Finally, Cisco addressed multiple Medium severity vulnerabilities in other Cisco products, to include new Finesse OpenSocial Gadget Editor Vulnerabilities (CVE-2021-1245 and CVE-2021-1246) released on January 22, 2021.