Unauthenticated cyber-attackers can also wreak havoc on networking device configurations.
Cisco is warning 3 critical security vulnerabilities affect its flagship IOS XE software, the operating system for most of its enterprise networking portfolio. The flaws impact Cisco’s wireless controllers, SD-WAN offering & configuration mechanisms in use for scads of products.
The company has released patches for all, as part of a comprehensive 32-bug update released this week.
The most severe of the critical bugs is an unauthenticated remote-code-execution (RCE) & denial-of-service (DoS) bug, affecting the Cisco Catalyst 9000 family of wireless controllers.
CVE-2021-34770: RCE & DoS for Wireless Controllers
With a rare 10 out of 10 CVSS vulnerability-severity rating, the issue (CVE-2021-34770) specifically exists in the control & provisioning of wireless access points (CAPWAP) protocol processing used by the Cisco IOS XE software that powers the devices.
“The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets,” Cisco explained in its advisory this week.
“An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash & reload, resulting in a DoS condition.”
Workaround
Absent a workaround or mitigation, admins should patch as soon as possible to avoid compromise. The affected products are:
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, & 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Catalyst 9800-CL Wireless Controllers for Cloud
- Embedded Wireless Controller on Catalyst Access Points
RCE & DoS for Cisco SD-WAN
The next 2 critical bugs rate 9.8 out of 10 on the CVSS scale. The 1st of these is a software-buffer-overflow issue (CVE-2021-34727) in Cisco’s SD-WAN software (which can be enabled via IOS XE software), which could allow unauthenticated RCE as root & DoS attacks. It arises in the vDaemon process, according to the advisory.
“This vulnerability is due to insufficient bounds-checking when an affected device processes traffic,” according to Cisco.
“An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow & possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial-of-service condition.”
SD-WAN
Once again there are no workarounds or mitigations for this one, so patching promptly is a good idea. The following products are vulnerable if orgs are using the SD-WAN feature:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Routers
- Cloud Services Router 1000V Series
CVE-2021-1619: Endangering Device Configurations
The last critical bug is an authentication-bypass vulnerability in the IOS XE software – specifically affecting the network configuration protocol (NETCONF) used to install, manipulate & delete the configuration of network devices through a network management system; & the RESTCONF protocol, which is a REST-based HTTP interface used to query & configure devices with NETCONF configuration datastores.
The issue (CVE-2021-1619) specifically resides in the authentication, authorisation & accounting (AAA) function, Cisco explained, which could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication & wreak havoc in a couple of ways:
- Install, manipulate, or delete the configuration of an affected device
- Cause memory corruption that results in DoS
Uninitialized Variable
“This vulnerability is due to an uninitialized variable,” according to the advisory. “An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device.”
This vulnerability affects devices running the following:
- Cisco IOS XE software if configured for autonomous or controller mode
- Cisco IOS XE SD-WAN software
Workaround, Mitigation Available
Unlike the previous 2 bugs, this 1 has both a workaround & a mitigation.
Re: workaround, it’s important to note that to be vulnerable, 3 things must be configured:
- AAA
- NETCONF, RESTCONF or both
- “Enable password” used without “enable secret”
Thus, users can remove the “enable password” configuration & configure “enable secret” instead, in order to protect themselves.
As for a mitigation, to limit the attack surface, admins can ensure that access control lists (ACLs) are in place for NETCONF & RESTCONF to prevent attempted access from untrusted subnets, Cisco advised.
