Cisco has publicly disclosed several critical vulnerabilities affecting their Software Defined WAN (SD-WAN) products. A total of eight vulnerabilities were revealed. Each were identified with a CVSS rating of 9.6 or more, indicating a critical vulnerability which required immediate remediation.
The SD-WAN vulnerabilities can be grouped by the method in which they exploit the weakness of the target system: command injection , buffer overflow and input validation. All methods can be considered as high-risk.
CVE-2021-1299 features a critical command injection vulnerability which exists in the web-based management interface of Cisco SD-WAN vManage, with a CVSS rating of 9.9. This vulnerability could allow an authenticated attacker to gain root-level access to affected systems and execute privileged commands. Whilst it requires an authenticated user to perform this exploit, the criticality rating indicates the severity with which a successful attack could impact the target system.
The CVE-2021-1300 buffer overflow vulnerability with an assigned CVSS rating of 9.8 exploits a flaw that stems from incorrect handling of IP traffic. An attacker could exploit this with crafted IP traffic through affected devices. This could cause a buffer overflow when traffic is processed, allowing attackers to execute privileged commands.
CVE-2021-1264 is another critical vulnerability with a high CVSS Score of 9.6. This was identified within the Command Runner tool of the Cisco DNA Center. This vulnerability exploits input validation, allowing users to send diagnostic commands to known devices. An attacker can exploit this by providing crafted input during command execution, or Command Runner API calls.
At the time of writing, we have no indication these vulnerabilities are being actively exploited. Our Security Operations Centre (SOC) has provisions in place to provide enhanced monitoring on impacted devices and is leveraging vulnerability management data to alert on any instance of these vulnerabilities being present within monitored environments.
We recommend that all impacted versions of Cisco SD-WAN are scanned for vulnerabilities, and that any impacted systems be upgraded.
We are also continuing to monitor threat intelligence channels for technical indicators of compromise (IOCs), exploit code and chatter from threat actors relating to these vulnerabilities.
Sapphire’s SOC collects and monitors threat intelligence from the open web, deep web and dark web. Our threat intelligence is obtained via a variety of sources including, proprietary and premium intelligence feeds, security advisories, social media, honey pots and Open-Source Intelligence.
Monitoring for IOCs across these channels allows the SOC to adopt a proactive approach when protecting our customers. For example, the CVE-2021-1299 was first referenced in GitHub over a month before the official NIST and subsequent Cisco advisories were published, giving analysts advanced notice where to focus attention.