Cisco Systems has fixed three high-severity vulnerabilities in its software-defined networking for wide-area network (SD-WAN) solutions for business users. If exploited, the flaws could enable bad actors to execute commands with root privileges on affected systems. To exploit the vulnerabilities attackers need to first be local and authenticated.
The three flaws are located in various Cisco hardware and software products running the company’s SD-WAN software earlier than Release 19.2.2 (the fixed release). Hardware includes the company’s SD-WAN solutions: vBond and vSmart controllers (which implements network connectivity), the vManage Network Management system (the centralized management platform) and the vBond Orchestrator software (which performs authentication of all elements in the network). Also affected are various vEdge routers, and the corresponding vEdge cloud router platform.
“The Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” according to Cisco’s Wednesday advisory.
The most severe of these vulnerabilities is an insufficient input validation error (CVE-2020-3266) in the Command Line Interface (CLI) of SD-WAN. CLI is the text-based interface, used to operate software and allowing users to type single commands into the interface. While the flaw can only be exploited by authenticated and local attackers, if exploited it would enable them to inject arbitrary commands that are executed with root privileges.
“An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility,” according to Cisco’s advisory. “The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.”
This flaw scores 7.8 out of 10.0 on the CVSS scale, making it high-severity.
The second flaw (CVE-2020-3264) is a buffer overflow vulnerability that also stems from insufficient input validation in the software. This flaw could enable an authenticated, local attacker to “gain access to information that they are not authorized to access and make changes to the system that they are not authorized to make.”
An attacker could exploit the flaw by sending crafted traffic to an affected device. The flaw ranks 7.1 out of 10.0 on the CVSS scale, or high severity.
The final high-severity flaw (CVE-2020-3265) is a privilege escalation flaw in the SD-WAN software that could allow authenticated, local attackers to elevate privileges – ultimately gaining “root-level” privileges on the underlying operating system. This flaw ranks 7.0 out of 10.0 on the CVSS scale.
“The vulnerability is due to insufficient input validation,” said Cisco. “An attacker could exploit this vulnerability by sending a crafted request to an affected system.”
Cisco has previously issued patches for several critical- and high-severity vulnerabilities in its SD-WAN software, including a critical privilege-escalation flaw (CVE-2019-1625) existing in CLI in June, and a high-severity flaw in the SD-WAN software in January.