Cisco patches serious SD-WAN software security holes

Cisco has patched security vulnerabilities in four packages of SD-WAN Solution software that address buffer overflow, arbitrary file override and privilege access weaknesses that could have led to denial-of-service attacks or access problems.

The first patch, called “Critical” by Cisco, fixes a vulnerability in the vContainer of the Cisco SD-WAN Solution that could let an authenticated, remote attacker cause a denial of service (DoS) and execute arbitrary code as the root user, the company wrote in a security advisory. 

This vulnerability touches Cisco vSmart Controller Software running a release of the Cisco SD-WAN Solution prior to Release 18.4.0.

“The vulnerability is due to improper bounds checking by the vContainer. An attacker could exploit this vulnerability by sending a malicious file to an affected vContainer instance,” Cisco stated.

The twist here is that customer must request the fix from Cisco to get it. “There is no fixed software for Cisco customers to download and deploy for this vulnerability. Customers must engage their Cisco support contact to ensure the deployment of the latest software fix.”

{UPDATE: Cisco says it has updated this advisory to let customers know the fixed software has already been deployed by Cisco for this vulnerability. There is no action customers need to take. Cisco SD-WAN Solution Buffer Overflow Vulnerability (CVE-2019-1651) Cisco SD-WAN Solution Unauthorized Access Vulnerability (CVE-2019-1647).]