{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-053.pdf"
    },
    "title": "Critical Vulnerabilities in Cisco Software",
    "serial_number": "2021-053",
    "publish_date": "24-09-2021 16:24:00",
    "description": "On Wednesday, September 22, 2021, Cisco Product Security Incident Response Team (PSIRT) has released 31 security advisories (3 Critical, 13 High, 15 Medium) to address multiple vulnerabilities in Cisco IOS XE software or products running with a specific configuration. At this time, the Cisco (PSIRT) is not aware of any public announcements or malicious use of the critical vulnerabilities CVE-2021-34770, CVE-2021-34727 and CVE-2021-1619.",
    "url_title": "2021-053",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Cisco\u00a0Software'\nversion: '1.0'\nnumber: '2021-053'\ndate: 'September 24, 2021'\n---\n\n_History:_\n\n* _24/09/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn Wednesday, September 22, 2021, Cisco Product Security Incident Response Team (PSIRT) has released 31 security advisories (**3 Critical**, 13 High, 15 Medium) to address multiple vulnerabilities in Cisco IOS XE software or products running with a specific configuration [1]. At this time, the Cisco (PSIRT) is not aware of any public announcements or malicious use of the critical vulnerabilities CVE-2021-34770, CVE-2021-34727 and CVE-2021-1619 [2,3,4].\n\n# Technical Details\n\n**CVE-2021-34770 Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution vulnerability**\n\nA vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device [2].\n\nThe vulnerability is due to a logic error that occurs during the validation of CAPWAP packets. An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition [2].\n\n**CVE-2021-34727 Cisco IOS XE SD-WAN Software Buffer Overflow vulnerability**\n\nA vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device [3].\n\nThis vulnerability is due to insufficient bounds checking when an affected device processes traffic. An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow and possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial of service condition [3].\n\n**CVE-2021-1619  Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass vulnerability**\n\nA vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following [4]:\n\n- Install, manipulate, or delete the configuration of an affected device.\n- Cause memory corruption that results in a denial of service (DoS) on an affected device.\n\nThis vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of `NETCONF` or `RESTCONF` requests to an affected device. A successful exploit could allow the attacker to use `NETCONF` or `RESTCONF` to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS [4].\n\n# Affected Products\n\n## CVE-2021-34770\n\nThis vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers [2]:\n\n- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches\n- Catalyst 9800 Series Wireless Controllers\n- Catalyst 9800-CL Wireless Controllers for Cloud\n- Embedded Wireless Controller on Catalyst Access Points\n\n## CVE-2021-34727\n\nThis vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE SD-WAN Software and have the SD-WAN feature enabled [3]:\n\n- 1000 Series Integrated Services Routers (ISRs)\n- 4000 Series ISRs\n- ASR 1000 Series Aggregation Services Routers\n- Cloud Services Router 1000V Series\n\n## CVE-2021-1619\n\nThis vulnerability affects Cisco IOS XE Software if it is running in autonomous or controller mode and Cisco IOS XE SD-WAN Software. For either to be affected, all of the following must be configured [4]:\n\n- `AAA`,\n- `NETCONF`, `RESTCONF`, or both,\n- enable password without enable secret.\n\n# Recommendations\n\nCisco has released software updates that address these vulnerabilities.\n\nCERT-EU recommends updating the vulnerable application as soon as possible.\n\n## Workarounds and Mitigations\n\nThere is a workaround that addresses **CVE-2021-1619** vulnerability:\n\n- Remove the _enable password_ and configure the _enable secret_ [4,5].\n- To limit the attack surface of this vulnerability, ensure that access control lists (ACLs) are in place for `NETCONF` and `RESTCONF` to prevent attempted access from untrusted subnets [4,6].\n\nThere are no workarounds for **CVE-2021-34770** and **CVE-2021-34727** vulnerabilities [2,3].\n\n# References\n\n[1] <https://tools.cisco.com/security/center/publicationListing.x>\n\n[2] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf>\n\n[3] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxesdwan-rbuffover-vE2OB6tp>\n\n[4] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q>\n\n[5] <https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc14>\n\n[6] <https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/service_level_ACLs_NETCONF_RESTCONF.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>24/09/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On Wednesday, September 22, 2021, Cisco Product Security Incident Response Team (PSIRT) has released 31 security advisories (<strong>3 Critical</strong>, 13 High, 15 Medium) to address multiple vulnerabilities in Cisco IOS XE software or products running with a specific configuration [1]. At this time, the Cisco (PSIRT) is not aware of any public announcements or malicious use of the critical vulnerabilities CVE-2021-34770, CVE-2021-34727 and CVE-2021-1619 [2,3,4].</p><h2 id=\"technical-details\">Technical Details</h2><p><strong>CVE-2021-34770 Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution vulnerability</strong></p><p>A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device [2].</p><p>The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets. An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition [2].</p><p><strong>CVE-2021-34727 Cisco IOS XE SD-WAN Software Buffer Overflow vulnerability</strong></p><p>A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device [3].</p><p>This vulnerability is due to insufficient bounds checking when an affected device processes traffic. An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow and possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial of service condition [3].</p><p><strong>CVE-2021-1619 Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass vulnerability</strong></p><p>A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following [4]:</p><ul><li>Install, manipulate, or delete the configuration of an affected device.</li><li>Cause memory corruption that results in a denial of service (DoS) on an affected device.</li></ul><p>This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of <code>NETCONF</code> or <code>RESTCONF</code> requests to an affected device. A successful exploit could allow the attacker to use <code>NETCONF</code> or <code>RESTCONF</code> to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS [4].</p><h2 id=\"affected-products\">Affected Products</h2><h3 id=\"cve-2021-34770\">CVE-2021-34770</h3><p>This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers [2]:</p><ul><li>Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches</li><li>Catalyst 9800 Series Wireless Controllers</li><li>Catalyst 9800-CL Wireless Controllers for Cloud</li><li>Embedded Wireless Controller on Catalyst Access Points</li></ul><h3 id=\"cve-2021-34727\">CVE-2021-34727</h3><p>This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE SD-WAN Software and have the SD-WAN feature enabled [3]:</p><ul><li>1000 Series Integrated Services Routers (ISRs)</li><li>4000 Series ISRs</li><li>ASR 1000 Series Aggregation Services Routers</li><li>Cloud Services Router 1000V Series</li></ul><h3 id=\"cve-2021-1619\">CVE-2021-1619</h3><p>This vulnerability affects Cisco IOS XE Software if it is running in autonomous or controller mode and Cisco IOS XE SD-WAN Software. For either to be affected, all of the following must be configured [4]:</p><ul><li><code>AAA</code>,</li><li><code>NETCONF</code>, <code>RESTCONF</code>, or both,</li><li>enable password without enable secret.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Cisco has released software updates that address these vulnerabilities.</p><p>CERT-EU recommends updating the vulnerable application as soon as possible.</p><h3 id=\"workarounds-and-mitigations\">Workarounds and Mitigations</h3><p>There is a workaround that addresses <strong>CVE-2021-1619</strong> vulnerability:</p><ul><li>Remove the <em>enable password</em> and configure the <em>enable secret</em> [4,5].</li><li>To limit the attack surface of this vulnerability, ensure that access control lists (ACLs) are in place for <code>NETCONF</code> and <code>RESTCONF</code> to prevent attempted access from untrusted subnets [4,6].</li></ul><p>There are no workarounds for <strong>CVE-2021-34770</strong> and <strong>CVE-2021-34727</strong> vulnerabilities [2,3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/publicationListing.x\">https://tools.cisco.com/security/center/publicationListing.x</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxesdwan-rbuffover-vE2OB6tp\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxesdwan-rbuffover-vE2OB6tp</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc14\">https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc14</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/service_level_ACLs_NETCONF_RESTCONF.html\">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/service_level_ACLs_NETCONF_RESTCONF.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}