It's 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now

And also fix up these other holes that can be exploited via HTTP requests, SQL injection, etc

Cisco this week emitted patches for four sets of critical-severity security holes in its products along with other fixes.

The worst of the bugs can be exploited by sending specially crafted IP packets to a vulnerable installation, and overflowing a memory buffer to ultimately execute code as root on the machine, allowing the box to be completely commandeered. Another set of flaws can be abused by sending HTTP requests that trigger arbitrary command execution to again hijack the machine. You should install updates to address these vulnerabilities as soon as possible.

Here's a quick list:

Cisco SD-WAN Buffer Overflow Vulnerabilities (CVE-2021-1300, CVE-2021-1301): Systems running the Cisco SD-WAN software – such as SD-WAN vEdge Routers – can be exploited "by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed." A successful attack can result in the execution of arbitrary code on the underlying operating system with root privileges, which means you basically hand over the gear to a stranger. No authentication is needed; you just have to be able to send traffic to the software.

That's the 1300 bug. The 1301 can be exploited by an authenticated user to knock out a vulnerable machine. According to Cisco, "due to insufficient input validation of user-supplied input that is read by the system during the establishment of an SSH connection," a hacker could submit a maliciously crafted file, overflow a buffer, and denial-of-service the box. Both holes were found by Switchzilla's James Spadaro during internal security testing.

Cisco SD-WAN Command Injection Vulnerabilities (CVE-2021-1260, CVE-2021-1261, CVE-2021-1262, CVE-2021-1263, CVE-2021-1298, CVE-2021-1299): These can be exploited by authenticated users to gain root-level privileges on a system running the vulnerable software. This can be achieved via the command-line interface, the tcpdump command, a device template file, and a single-sign-on configuration file. These programming blunders were discovered through a mix of diagnosing customer support tickets and internal security testing at Cisco.

Cisco DNA Center Command Runner Command Injection Vulnerability (CVE-2021-1264): An authenticated remote user can supply a maliciously "crafted input during command execution or via a crafted command runner API call. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center." It was found during an internal security audit.

Cisco Smart Software Manager Satellite Web UI Command Injection Vulnerabilities (CVE-2021-1138, CVE-2021-1139, CVE-2021-1140, CVE-2021-1141, CVE-2021-1142): These bugs can be exploited to run arbitrary commands on a vulnerable installation by sending specially crafted HTTP requests to the web interface. Bugs 1139 and 1141 require authentication and will run the commands as root, and the others require none at all and will run the commands as a high-privilege account. They were found during an internal security audit.

Cisco believes none of the above are being exploited in the wild. Switchzilla also patched a bunch of other vulnerabilities, such as a Cisco Secure Web Appliance privilege escalation flaw (CVE-2020-3367); Cisco SD-WAN vManage authorization bypass vulnerabilities (CVE-2021-1302, CVE-2021-1304, CVE-2021-1305); and Cisco Data Center Network Manager SQL Injection Vulnerabilities (CVE-2021-1247, CVE-2021-1248). ®

Broader topics

Narrower topics

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022