{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-003.pdf"
    },
    "title": "Critical Vulnerabilities in Cisco SD WAN",
    "serial_number": "2021-003",
    "publish_date": "21-01-2021 11:32:00",
    "description": "Cisco has published an advisory about several vulnerabilities affecting Cisco SD-WAN software. These vulnerabilities could lead to remote code execution, denial of service, or authtication bypass. While Cisco is not aware of any malicious exploit in the wild, it is highly recommended to patch the affected products.",
    "url_title": "2021-003",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Cisco\u00a0SD\u00a0WAN'\nversion: '1.0'\nnumber: '2021-003'\ndate: 'January 21, 2021'\n---\n\n_History:_\n\n* _21/01/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nCisco has published an advisory about several vulnerabilities affecting Cisco SD-WAN software [1-4]. These vulnerabilities could lead to **remote code execution**, **denial of service**, or **authtication bypass**. While Cisco is not aware of any malicious exploit in the wild, it is highly recommended to patch the affected products.\n\n# Technical Details\n\nThis advisory only describes the most critical vulnerabilities disclosed by Cisco.\n\n## CVE-2021-1300\n\nThe first vulnerability, identified by **CVE-2021-1300**, is due to incorrect handling of IP traffic by the SD-WAN software. By sending crafted packets to a vulnerable device, an **unauthenticated, remote** attacker could cause a **buffer overflow** on the underlying software. Successfully exploiting this vulnerability could lead the attacker to execute arbitrary code on the operating system with **root** privileges. The CVSS score of this vulnerability is **9.8**\n\n## CVE-2021-1302\n\nThe second vulnerability, identified by **CVE-2021-1302**, is due to insufficient authorization checks. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the **unauthenticated** attacker to bypass authorization and connect to other vManage tenants that they are not authorized to connect to. The CVSS score of this vulnerability is **8.8**\n\n## CVE-2021-1299\n\nThe third vulnerability, identified by **CVE-2021-1299**, is due to improper input validation of user-supplied input to the device template configuration. An **authenticated** attacker could exploit this vulnerability by submitting crafted input to the device template configuration. A successful exploit could allow the attacker to gain root-level access to the affected system. The CVSS score of this vulnerability is **9.9**\n\n## CVE-2021-1241\n\nThe forth vulnerability, identified by **CVE-2021-1241**, is due to insufficient handling of malformed packets. An **unauthenticated** attacker could exploit this vulnerability by sending crafted packets through an affected device. A successful exploit could allow the attacker to cause the device to reboot, resulting in a DoS condition on the affected system. The CVSS score of this vulnerability is **8.6**\n\n## CVE-2021-1273\n\nThe fifth vulnerability, identified by **CVE-2021-1273**, is due to the bounds checking in the forwarding plane of the IPSec tunnel management functionality. An **unauthenticated, remote** attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 packets to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. The CVSS score of this vulnerability is **8.6**\n\n## CVE-2021-1274\n\nThe sixth vulnerability, identified by **CVE-2021-1274**, is due to the presence of a null dereference in vDaemon. An **unauthenticated, remote** attacker could exploit this vulnerability by sending crafted traffic to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. The CVSS score of this vulnerability is **8.6**\n\n# Affected products\n\nThe following products could be affected by the vulnerabilities:\n\n* IOS XE SD-WAN Software\n* SD-WAN vBond Orchestrator Software\n* SD-WAN vEdge Cloud Routers\n* SD-WAN vEdge Routers\n* SD-WAN vManage Software\n* SD-WAN vSmart Controller Software\n\nThe following software releases are affected by the vulnerabilities:\n\n* SD-WAN Software\n\t* release versions prior to 20.3\n\t* release version 20.3 prior to 20.3.2\n\t* release version 20.4 prior to 20.4.1\n* IOS XE SD-WAN Software\n\t* release versions prior to 16.12\n\t* release version 16.12 prior to 16.12.4\n* IOS XE Software\n\t* release version 17.2 prior to 17.2.2\n\t* release version 17.3 prior to 17.3.1\n\t* release version 17.4 prior to 17.4.1\n\n# Recommendations\n\nIt is recommended to apply the patches from Cisco for all affected software and products.\n\n# References\n\n[1] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj>\n\n[2] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-abyp-TnGFHrS>\n\n[3] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn>\n\n[4] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP>\n\n[4] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/01/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Cisco has published an advisory about several vulnerabilities affecting Cisco SD-WAN software [1-4]. These vulnerabilities could lead to <strong>remote code execution</strong>, <strong>denial of service</strong>, or <strong>authtication bypass</strong>. While Cisco is not aware of any malicious exploit in the wild, it is highly recommended to patch the affected products.</p><h2 id=\"technical-details\">Technical Details</h2><p>This advisory only describes the most critical vulnerabilities disclosed by Cisco.</p><h3 id=\"cve-2021-1300\">CVE-2021-1300</h3><p>The first vulnerability, identified by <strong>CVE-2021-1300</strong>, is due to incorrect handling of IP traffic by the SD-WAN software. By sending crafted packets to a vulnerable device, an <strong>unauthenticated, remote</strong> attacker could cause a <strong>buffer overflow</strong> on the underlying software. Successfully exploiting this vulnerability could lead the attacker to execute arbitrary code on the operating system with <strong>root</strong> privileges. The CVSS score of this vulnerability is <strong>9.8</strong></p><h3 id=\"cve-2021-1302\">CVE-2021-1302</h3><p>The second vulnerability, identified by <strong>CVE-2021-1302</strong>, is due to insufficient authorization checks. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the <strong>unauthenticated</strong> attacker to bypass authorization and connect to other vManage tenants that they are not authorized to connect to. The CVSS score of this vulnerability is <strong>8.8</strong></p><h3 id=\"cve-2021-1299\">CVE-2021-1299</h3><p>The third vulnerability, identified by <strong>CVE-2021-1299</strong>, is due to improper input validation of user-supplied input to the device template configuration. An <strong>authenticated</strong> attacker could exploit this vulnerability by submitting crafted input to the device template configuration. A successful exploit could allow the attacker to gain root-level access to the affected system. The CVSS score of this vulnerability is <strong>9.9</strong></p><h3 id=\"cve-2021-1241\">CVE-2021-1241</h3><p>The forth vulnerability, identified by <strong>CVE-2021-1241</strong>, is due to insufficient handling of malformed packets. An <strong>unauthenticated</strong> attacker could exploit this vulnerability by sending crafted packets through an affected device. A successful exploit could allow the attacker to cause the device to reboot, resulting in a DoS condition on the affected system. The CVSS score of this vulnerability is <strong>8.6</strong></p><h3 id=\"cve-2021-1273\">CVE-2021-1273</h3><p>The fifth vulnerability, identified by <strong>CVE-2021-1273</strong>, is due to the bounds checking in the forwarding plane of the IPSec tunnel management functionality. An <strong>unauthenticated, remote</strong> attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 packets to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. The CVSS score of this vulnerability is <strong>8.6</strong></p><h3 id=\"cve-2021-1274\">CVE-2021-1274</h3><p>The sixth vulnerability, identified by <strong>CVE-2021-1274</strong>, is due to the presence of a null dereference in vDaemon. An <strong>unauthenticated, remote</strong> attacker could exploit this vulnerability by sending crafted traffic to a specific device. A successful exploit could allow the attacker to cause a DoS condition on the affected system. The CVSS score of this vulnerability is <strong>8.6</strong></p><h2 id=\"affected-products\">Affected products</h2><p>The following products could be affected by the vulnerabilities:</p><ul><li>IOS XE SD-WAN Software</li><li>SD-WAN vBond Orchestrator Software</li><li>SD-WAN vEdge Cloud Routers</li><li>SD-WAN vEdge Routers</li><li>SD-WAN vManage Software</li><li>SD-WAN vSmart Controller Software</li></ul><p>The following software releases are affected by the vulnerabilities:</p><ul><li>SD-WAN Software <ul><li>release versions prior to 20.3</li><li>release version 20.3 prior to 20.3.2</li><li>release version 20.4 prior to 20.4.1</li></ul></li><li>IOS XE SD-WAN Software <ul><li>release versions prior to 16.12</li><li>release version 16.12 prior to 16.12.4</li></ul></li><li>IOS XE Software <ul><li>release version 17.2 prior to 17.2.2</li><li>release version 17.3 prior to 17.3.1</li><li>release version 17.4 prior to 17.4.1</li></ul></li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to apply the patches from Cisco for all affected software and products.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-abyp-TnGFHrS\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-abyp-TnGFHrS</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}