Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Critical Vulnerabilities in SD-WAN, DNA Center, SSMS Products

Cisco this week released patches to address a significant number of vulnerabilities across its product portfolio, including several critical flaws in SD-WAN products, DNA Center, and Smart Software Manager Satellite (SSMS).

Cisco this week released patches to address a significant number of vulnerabilities across its product portfolio, including several critical flaws in SD-WAN products, DNA Center, and Smart Software Manager Satellite (SSMS).

Several command injection bugs addressed in SD-WAN products could allow an attacker to perform actions as root on the affected devices, the most important of which is rated critical severity, featuring a CVSS score of 9.9.

Tracked as CVE-2021-1299, the flaw resides in the web-based management interface of SD-WAN vManage software and could be exploited remotely, without authentication, to execute arbitrary commands as the root user. An attacker looking to exploit the flaw would have to submit crafted input to the device template configuration.

Five other command injection flaws were addressed in SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller Software. Two of them were rated high severity, while the other three were considered medium severity.

Cisco also patched two buffer overflow issues in SD-WAN, the most important of which is tracked as CVE-2021-1300 and features a CVSS score of 9.8. The flaw could lead to arbitrary code execution with root privileges.

Impacted products include IOS XE SD-WAN, SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller software.

A critical vulnerability addressed in DNA Center could be exploited to perform command injection attacks. Tracked as CVE-2021-1264 and featuring a CVSS score of 9.6, the flaw exists because of insufficient input validation by the Command Runner tool. Cisco DNA Center releases prior to version 1.3.1.0 are affected.

Three critical bugs (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142; CVSS score of 9.8) were patched in the web UI of Smart Software Manager Satellite. The flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary commands.

Advertisement. Scroll to continue reading.

Two other issues (CVE-2021-1139, CVE-2021-1141; CVSS score of 8.8) also addressed in the software could be exploited remotely, without authentication, to execute arbitrary commands as the root user. Cisco Smart Software Manager On-Prem releases 6.3.0 and later contain fixes for all of these flaws.

Cisco says it is not aware of public exploits or attacks that target any of these vulnerabilities.

This week, the company also released patches for multiple other high- and medium-severity flaws in SD-WAN, DNA Center, Data Center Network Manager, SSMS, Advanced Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows, Web Security Appliance (WSA), Umbrella, Unified Communications products, Elastic Services Controller (ESC), Email Security Appliance (ESA), Content Security Management Appliance (SMA), and StarOS.

Information on all of the addressed vulnerabilities can be found on Cisco’s security portal.

Related: Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

Related: Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Related: Cisco Webex Vulnerability Allows Ghost Access to Meetings

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights