Critical Cisco Bugs Allow Code Execution on Wireless, SD-WAN

3 weeks ago

Unauthenticated cyberattackers tin besides wreak havoc connected networking instrumentality configurations.

Cisco is informing 3 captious information vulnerabilities impact its flagship IOS XE software, the operating strategy for astir of its endeavor networking portfolio. The flaws interaction Cisco’s wireless controllers, SD-WAN offering and configuration mechanisms successful usage for scads of products.

The networking elephantine has released patches for each of them, arsenic portion of a broad 32-bug update released this week.

Infosec Insiders Newsletter

The astir terrible of the captious bugs is an unauthenticated remote-code-execution (RCE) and denial-of-service (DoS) bug, affecting the Cisco Catalyst 9000 household of wireless controllers.

CVE-2021-34770: RCE and DoS for Wireless Controllers

Boasting a uncommon 10 retired of 10 CVSS vulnerability-severity rating, the contented (CVE-2021-34770) specifically exists successful the power and provisioning of wireless entree points (CAPWAP) protocol processing utilized by the Cisco IOS XE bundle that powers the devices.

“The vulnerability is owed to a logic mistake that occurs during the validation of CAPWAP packets,” Cisco explained successful its advisory this week. “An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A palmy exploit could let the attacker to execute arbitrary codification with administrative privileges oregon origin the affected instrumentality to clang and reload, resulting successful a DoS condition.”

Absent a workaround oregon mitigation, admins should spot arsenic soon arsenic imaginable to debar compromise. The affected products are:

  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Embedded Wireless Controller connected Catalyst Access Points

RCE and DoS for Cisco SD-WAN

The adjacent 2 captious bugs some complaint 9.8 retired of 10 connected the CVSS scale. The archetypal of these is simply a software-buffer-overflow contented (CVE-2021-34727) successful Cisco’s SD-WAN bundle (which tin beryllium enabled via IOS XE software), which could let unauthenticated RCE arsenic basal and DoS attacks. It arises successful the vDaemon process, according to the advisory.

“This vulnerability is owed to insufficient bounds-checking erstwhile an affected instrumentality processes traffic,” according to Cisco. “An attacker could exploit this vulnerability by sending crafted postulation to the device. A palmy exploit could let the attacker to origin a buffer overflow and perchance execute arbitrary commands with root-level privileges, oregon origin the instrumentality to reload, which could effect successful a denial-of-service condition.”

Once again determination are nary workarounds oregon mitigations for this one, truthful patching promptly is simply a bully idea. The pursuing products are susceptible if orgs are utilizing the SD-WAN feature:

  • 1000 Series Integrated Services Routers (ISRs)
  • 4000 Series ISRs
  • ASR 1000 Series Aggregation Services Routers
  • Cloud Services Router 1000V Series

CVE-2021-1619: Endangering Device Configurations

The past captious bug is an authentication-bypass vulnerability successful the IOS XE bundle – specifically affecting the web configuration protocol (NETCONF) utilized to install, manipulate and delete the configuration of web devices done a web absorption system; and the RESTCONF protocol, which is simply a REST-based HTTP interface utilized to query and configure devices with NETCONF configuration datastores.

The contented (CVE-2021-1619) specifically resides successful the authentication, authorization and accounting (AAA) function, Cisco explained, which could let an unauthenticated, distant attacker to bypass NETCONF oregon RESTCONF authentication and wreak havoc successful a mates of ways:

  • Install, manipulate oregon delete the configuration of an affected device
  • Cause representation corruption that results successful DoS

“This vulnerability is owed to an uninitialized variable,” according to the advisory. “An attacker could exploit this vulnerability by sending a bid of NETCONF oregon RESTCONF requests to an affected device.”

This vulnerability affects devices moving the following:

  • Cisco IOS XE bundle if configured for autonomous oregon controller mode
  • Cisco IOS XE SD-WAN software

Workaround, Mitigation Available

Unlike the erstwhile 2 bugs, this 1 has some a workaround and a mitigation.

On the workaround front, it’s important to enactment that to beryllium vulnerable, 3 things indispensable beryllium configured:

  • AAA
  • NETCONF, RESTCONF oregon both
  • “Enable password” utilized without “enable secret”

Thus, users tin region the “enable password” configuration and configure “enable secret” instead, successful bid to support themselves.

As for a mitigation, to bounds the onslaught surface, admins tin guarantee that entree power lists (ACLs) are successful spot for NETCONF and RESTCONF to forestall attempted entree from untrusted subnets, Cisco advised.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t person the basics down. JOIN Threatpost and Linux information pros astatine Uptycs for a LIVE roundtable connected the 4 Golden Rules of Linux Security. Your apical takeaway volition beryllium a Linux roadmap to getting the basics right! REGISTER NOW and articulation the LIVE lawsuit connected Sept. 29 astatine Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who volition spell retired Linux information champion practices and instrumentality your astir pressing questions successful existent time.