SB2018072010 - Multiple vulnerabilities in Cisco SD-WAN
Published: July 20, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2018-0342)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists in the configuration and monitoring service of the Cisco SD-WAN Solution due to buffer overflow when handling user-supplied input. A local attacker can send malicious data to the vDaemon listening service, trigger memory corruption and cause the vDaemon listening service to reload or execute arbitrary code with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Command injection (CVE-ID: CVE-2018-0344)
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The vulnerability exists in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution due to insufficient input validation of data parameters for certain fields in the affected solution. A remote authenticated attacker can configure a malicious username on the login page, inject and execute arbitrary commands with vmanage user privileges.
3) Improper input validation (CVE-ID: CVE-2018-0343)
The vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists in the configuration and management service of the Cisco SD-WAN Solution due to insufficient access restrictions to the HTTP management interface. A remote authenticated attacker can send a malicious HTTP request to the affected management service through an authenticated device and stop HTTP services or execute arbitrary code with vmanage user privileges.
4) Command injection (CVE-ID: CVE-2018-0347)
The vulnerability allows a local attacker to execute arbitrary commands on the target system.
The vulnerability exists in the Zero Touch Provisioning (ZTP) subsystem of the Cisco SD-WAN Solution due to insufficient input validation. A local attacker can submit malicious input to the affected parameter, inject and execute arbitrary commands with root privileges.
5) Command injection (CVE-ID: CVE-2018-0350)
The vulnerability allows a local attacker to execute arbitrary commands on the target system.
The vulnerability exists in the VPN subsystem configuration in the Cisco SD-WAN Solution due to insufficient input validation. A local attacker can submit malicious input to the affected parameter, inject and execute arbitrary commands with root privileges.
6) Command injection (CVE-ID: CVE-2018-0348)
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The vulnerability exists in the CLI of the Cisco SD-WAN Solution due to insufficient input validation. A remote authenticated attacker can submit malicious input to the load command within the VPN subsystem, inject and execute arbitrary commands with root privileges.
7) Command injection (CVE-ID: CVE-2018-0351)
The vulnerability allows a local attacker to execute arbitrary commands on the target system.
The vulnerability exists in the command-line tcpdump utility in the Cisco SD-WAN Solution due to insufficient input validation. A local attacker can submit malicious input to the tcpdump utility, inject and execute arbitrary commands with root privileges.
8) Command injection (CVE-ID: CVE-2018-0345)
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The vulnerability exists in the configuration and management service of the Cisco SD-WAN Solution due to insufficient validation of command arguments that are passed to the configuration and management database. A remote authenticated attacker can create custom functions that contain malicious code, inject and execute arbitrary commands with the privileges of the vmanage user in the configuration management system.
9) Buffer overflow (CVE-ID: CVE-2018-0346)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the Zero Touch Provisioning service of the Cisco SD-WAN Solution due to buffer overflow when handling certain values in packets that are sent to the Zero Touch Provisioning service. A remote attacker can send malicious packets to the affected software for processing, trigger memory corruption and cause the affected device to reload.
10) Privilege escalation (CVE-ID: CVE-2018-0349)
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The vulnerability exists in the Cisco SD-WAN Solution due to improper input validation of the request admin-tech command in the CLI. A remote authenticated attacker can modify the request admin-tech command in the CLI and overwrite arbitrary files on the underlying operating system to gain root privileges.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-bo
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-i...
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-...
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-ci
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdnjc...
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-coinj
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cx
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-fo