Get in Touch Close Menu

Critical Vulnerabilities Cisco SD-WAN

7 April 2021

Cisco has publicly disclosed several critical vulnerabilities affecting their Software Defined WAN (SD-WAN) products. A total of eight vulnerabilities were revealed. Each were identified with a CVSS rating of 9.6 or more, indicating a critical vulnerability which required immediate remediation.

The SD-WAN vulnerabilities can be grouped by the method in which they exploit the weakness of the target system: command injection buffer overflow  and input validation. All methods can be considered as high-risk.

CVE-2021-1299 features a critical command injection vulnerability which exists in the web-based management interface of Cisco SD-WAN vManage, with a CVSS rating of 9.9. This vulnerability could allow an authenticated attacker to gain root-level access to affected systems and execute privileged commands. Whilst it requires an authenticated user to perform this exploit, the criticality rating indicates the severity with which a successful attack could impact the target system.

The CVE-2021-1300 buffer overflow vulnerability with an assigned CVSS rating of 9.8 exploits a flaw that stems from incorrect handling of IP traffic. An attacker could exploit this with crafted IP traffic through affected devices. This could cause a buffer overflow when traffic is processed, allowing attackers to execute privileged commands.

CVE-2021-1264 is another critical vulnerability with a high CVSS Score of 9.6. This was identified within the Command Runner tool of the Cisco DNA Center. This vulnerability exploits input validation, allowing users to send diagnostic commands to known devices. An attacker can exploit this by providing crafted input during command execution, or Command Runner API calls.

At the time of writing, we have no indication these vulnerabilities are being actively exploited. Our Security Operations Centre (SOC) has provisions in place to provide enhanced monitoring on impacted devices and is leveraging vulnerability management data to alert on any instance of these vulnerabilities being present within monitored environments.

We recommend that all impacted versions of Cisco SD-WAN are scanned for vulnerabilities, and that any impacted systems be upgraded.

We are also continuing to monitor threat intelligence channels for technical indicators of compromise (IOCs), exploit code and chatter from threat actors relating to these vulnerabilities.

Sapphire’s SOC collects and monitors threat intelligence from the open web, deep web and dark web. Our threat intelligence is obtained via a variety of sources including, proprietary and premium intelligence feeds, security advisories, social media, honey pots and Open-Source Intelligence.

Monitoring for IOCs across these channels allows the SOC to adopt a proactive approach when protecting our customers. For example, the CVE-2021-1299 was first referenced in GitHub over a month before the official NIST and subsequent Cisco advisories were published, giving analysts advanced notice where to focus attention.

Related Articles

Cyber Security Risk Management: A Detailed Guide
20 March 2023

The increased digitisation of our world means the threat of cyberattacks and data breaches continues to grow. No organisation is immune to the risks of cybersecurity threats. In fact, a recent study shows the average time to identify and contain a data breach is 277 days, at an average cost of $4.35 million. That’s why cyber […]

Find Out More
What Is UEBA? User and Entity Behaviour Analytics Guide

Traditional security measures to deal with cybersecurity threats are no longer enough to protect a company’s sensitive data and assets. Therefore, companies need a solution that can detect and respond to potential threats in real time, and that’s where user and entity behaviour analytics (UEBA) comes in. In this article, we’ll explore UEBA in more […]

Find Out More
Web Firewall Application: Securing Online Applications

Application layer attacks or DDoS (Denial of Service Attacks)are the leading cause of breaches. However, a web application firewall (WAF) prevents malicious traffic from accessing web applications. While a web application firewall is not meant to defend against all types of attacks, it is a great tool to have in your arsenal. Let’s look at […]

Find Out More