Get in Touch Close Menu


7 April 2021

Cisco has publicly disclosed several critical vulnerabilities affecting their Software Defined WAN (SD-WAN) products. A total of eight vulnerabilities were revealed. Each were identified with a CVSS rating of 9.6 or more, indicating a critical vulnerability which required immediate remediation.

The SD-WAN vulnerabilities can be grouped by the method in which they exploit the weakness of the target system: command injection buffer overflow  and input validation. All methods can be considered as high-risk.

CVE-2021-1299 features a critical command injection vulnerability which exists in the web-based management interface of Cisco SD-WAN vManage, with a CVSS rating of 9.9. This vulnerability could allow an authenticated attacker to gain root-level access to affected systems and execute privileged commands. Whilst it requires an authenticated user to perform this exploit, the criticality rating indicates the severity with which a successful attack could impact the target system.

The CVE-2021-1300 buffer overflow vulnerability with an assigned CVSS rating of 9.8 exploits a flaw that stems from incorrect handling of IP traffic. An attacker could exploit this with crafted IP traffic through affected devices. This could cause a buffer overflow when traffic is processed, allowing attackers to execute privileged commands.

CVE-2021-1264 is another critical vulnerability with a high CVSS Score of 9.6. This was identified within the Command Runner tool of the Cisco DNA Center. This vulnerability exploits input validation, allowing users to send diagnostic commands to known devices. An attacker can exploit this by providing crafted input during command execution, or Command Runner API calls.

At the time of writing, we have no indication these vulnerabilities are being actively exploited. Our Security Operations Centre (SOC) has provisions in place to provide enhanced monitoring on impacted devices and is leveraging vulnerability management data to alert on any instance of these vulnerabilities being present within monitored environments.

We recommend that all impacted versions of Cisco SD-WAN are scanned for vulnerabilities, and that any impacted systems be upgraded.

We are also continuing to monitor threat intelligence channels for technical indicators of compromise (IOCs), exploit code and chatter from threat actors relating to these vulnerabilities.

Sapphire’s SOC collects and monitors threat intelligence from the open web, deep web and dark web. Our threat intelligence is obtained via a variety of sources including, proprietary and premium intelligence feeds, security advisories, social media, honey pots and Open-Source Intelligence.

Monitoring for IOCs across these channels allows the SOC to adopt a proactive approach when protecting our customers. For example, the CVE-2021-1299 was first referenced in GitHub over a month before the official NIST and subsequent Cisco advisories were published, giving analysts advanced notice where to focus attention.

Related Articles

22 April 2021

In April, Sapphire threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019 affecting Fortinet VPN Servers. This allows a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in clear text. Though this vulnerability has […]

Find Out More
10 April 2021

VULNERABILITY ASSESSMENT VS PENETRATION TESTING To protect your business from hackers, it is essential to know what level of risk your business is at. It must then be decided whether a penetration test or a vulnerability assessment is appropriate for you. It is important to know the difference between the two and the varying levels […]

Find Out More
9 April 2021

Sapphire is looking for a Security Operations Centre Engineer to build and grow our Managed Services solutions and technologies in Glasgow. The role is for an experienced, enthusiastic individual to join our Security Operations Centre and lead the delivery of our managed services. The position focuses on customer deployments and our SOC infrastructure’s operation, whilst […]

Find Out More