Two critical bugs, as well as three high-severity problems, were patched in the SD-WAN vManage software. The bugs are not interdependent, and their exploitation does not necessitate the exploitation of others. Unauthenticated, remote attackers could use one of the critical flaws (CVE-2021-1468, CVSS score 9.8) to call privileged actions and even build new administrative accounts, allowing them to access, alter, or remove data. The second critical flaw (CVE-2021-1505, CVSS 9.1) affects SD-WAN vManage’s web-based management interface and could enable attackers to achieve elevated privileges. The SD-WAN vManage high-severity flaws could be used to achieve elevated privileges (CVE-2021-1508), trigger a denial of service situation (CVE-2021-1275), or gain unauthorised access to services (CVE-2021-1506). According to Cisco, there are no workarounds for these flaws. IOS XE SD-WAN, SD-WAN vEdge routers, SD-WAN vBond Orchestrator, SD-WAN vEdge cloud routers, and SD-WAN vSmart Controller software are among the affected products. Cisco also released patches on Wednesday for a critical flaw in the HyperFlex HX installer virtual machine’s web-based management interface, which could enable attackers to run commands as root. The bug, identified as CVE-2021-1497, has a CVSS score of 9.8 and was patched alongside a high-severity flaw (CVE-2021-1498, CVSS score 7.3) that also allows for command injection attacks. SD-WAN, Small Business 100, 300, and 500 series routers, Enterprise NFV Infrastructure Software (NFVIS), Unified Communications Manager IM & Presence Service, and AnyConnect Secure Mobility Client for Windows all had high-severity vulnerabilities patched. Cisco also fixed a number of medium-severity bugs in its SD-WAN and other products. On Cisco’s security portal, you can find information on both of these flaws. According to the firm, it is not aware of these bugs being used in attacks.
