Cisco Bugs Allow Code Execution on Wireless & SD-WAN!

Cisco Bugs Allow Code Execution on Wireless & SD-WAN!

Unauthenticated cyber-attackers can also wreak havoc on networking device configurations.

Cisco is warning 3 critical security vulnerabilities affect its flagship IOS XE software, the operating system for most of its enterprise networking portfolio. The flaws impact Cisco’s wireless controllers, SD-WAN offering & configuration mechanisms in use for scads of products.

The company has released patches for all, as part of a comprehensive 32-bug update released this week.

The most severe of the critical bugs is an unauthenticated remote-code-execution (RCE) & denial-of-service (DoS) bug, affecting the Cisco Catalyst 9000 family of wireless controllers.

CVE-2021-34770: RCE & DoS for Wireless Controllers

With a rare 10 out of 10 CVSS vulnerability-severity rating, the issue (CVE-2021-34770) specifically exists in the control & provisioning of wireless access points (CAPWAP) protocol processing used by the Cisco IOS XE software that powers the devices.

“The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets,” Cisco explained in its advisory this week.

“An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash & reload, resulting in a DoS condition.”

Workaround

Absent a workaround or mitigation, admins should patch as soon as possible to avoid compromise. The affected products are:

  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, & 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Embedded Wireless Controller on Catalyst Access Points

RCE & DoS for Cisco SD-WAN

The next 2 critical bugs rate 9.8 out of 10 on the CVSS scale. The 1st of these is a software-buffer-overflow issue (CVE-2021-34727) in Cisco’s SD-WAN software (which can be enabled via IOS XE software), which could allow unauthenticated RCE as root & DoS attacks. It arises in the vDaemon process, according to the advisory.

“This vulnerability is due to insufficient bounds-checking when an affected device processes traffic,” according to Cisco.

“An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow & possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial-of-service condition.”

SD-WAN

Once again there are no workarounds or mitigations for this one, so patching promptly is a good idea. The following products are vulnerable if orgs are using the SD-WAN feature:

  • 1000 Series Integrated Services Routers (ISRs)
  • 4000 Series ISRs
  • ASR 1000 Series Aggregation Services Routers
  • Cloud Services Router 1000V Series

CVE-2021-1619: Endangering Device Configurations

The last critical bug is an authentication-bypass vulnerability in the IOS XE software – specifically affecting the network configuration protocol (NETCONF) used to install, manipulate & delete the configuration of network devices through a network management system; & the RESTCONF protocol, which is a REST-based HTTP interface used to query & configure devices with NETCONF configuration datastores.

The issue (CVE-2021-1619) specifically resides in the authentication, authorisation & accounting (AAA) function, Cisco explained, which could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication & wreak havoc in a couple of ways:

  • Install, manipulate, or delete the configuration of an affected device
  • Cause memory corruption that results in DoS

Uninitialized Variable

“This vulnerability is due to an uninitialized variable,” according to the advisory. “An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device.”

This vulnerability affects devices running the following:

  • Cisco IOS XE software if configured for autonomous or controller mode
  • Cisco IOS XE SD-WAN software

Workaround, Mitigation Available

Unlike the previous 2 bugs, this 1 has both a workaround & a mitigation.

Re: workaround, it’s important to note that to be vulnerable, 3 things must be configured:

  • AAA
  • NETCONF, RESTCONF or both
  • “Enable password” used without “enable secret”

Thus, users can remove the “enable password” configuration & configure “enable secret” instead, in order to protect themselves.

As for a mitigation, to limit the attack surface, admins can ensure that access control lists (ACLs) are in place for NETCONF & RESTCONF to prevent attempted access from untrusted subnets, Cisco advised.

Virtual Conference October 2021

 

SHARE ARTICLE