Cisco is warning of three command injection vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities.
Cisco is warning customers to update its networking software immediately. “This vulnerability is due to improper input-validation of user-supplied input to the device template configuration,” according to Cisco. “An attacker could exploit this vulnerability by submitting crafted input to the device template configuration.
Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities. The most serious of these flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges.
Three critical flaws (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142) were found in Cisco smart software manager satellite, which offers businesses real-time visibility and reporting of their Cisco licenses. One critical-severity flaw (CVE-2021-1299) exists in the web-based management interface of Cisco SD-WAN vManage aoftware. This flaw (which ranks 9.9 out of 10 on the CVSS scale) could allow an authenticated, remote attacker to gain root-level access to an affected system and execute arbitrary commands as the root user on the system.
This vulnerability is due to improper input-validation of user-supplied input to the device template configuration,” according to Cisco. “An attacker could exploit this vulnerability by submitting crafted input to the device template configuration.
The flaw stems from insufficient input validation by the Command Runner tool, which allows users to send diagnostic CLI commands to selected devices. An attacker could exploit this flaw by providing crafted input during command execution or via a crafted command runner API call, according to Cisco.
