Cisco released software updates this week addressing multiple vulnerabilities the company says “could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.”
A variety of security lapses were found in Cisco’s SD-WAN vManage Software and in the web-based management interface of HyperFlex HX, all of which required software updates Cisco said in a statement that there were no workarounds that address these vulnerabilities.
The company published detailed breakdowns of each vulnerability, highlighting specific issues revolving around SD-WAN vManage Cluster Mode Unauthorized Message Processing, Privilege Escalation, Unauthorized Access, vManage Denial of Service, and Unauthorized Services Access.
The vulnerabilities allow authorized and unauthorized users to send unauthorized messages to the vulnerable application, gain elevated privileges, make application modifications or cause a DoS condition on affected systems.
Software updates were also released to address security gaps with Cisco’s HyperFlex HX Installer Virtual Machine Command Injection and the Data Platform Command Injection.
Cisco’s Product Security Incident Response Team said it was not aware of any “malicious use of the vulnerabilities” yet for either product. Many of the vulnerabilities listed only affect Cisco SD-WAN vManage Software that is operating in a cluster, and users can figure out whether their software is operating in cluster mode by checking the Cisco SD-WAN vManage web-based management interface Administration > Cluster Management view.
The company has sent out multiple updates to address new vulnerabilities over the past few months. Oliver Tavakoli, CTO at cybersecurity firm Vectra, said the drumbeat of vulnerability disclosures against Cisco’s SD-WAN product line actually has a silver lining: Most of the reported vulnerabilities are being discovered by Cisco engineers during what appears to be a period of concentrated security testing.
“While we all want perfect software, vendors who find and fix security vulnerabilities before in-the-wild exploits against them are reported should be encouraged to continue on this journey. The key measure of success will ultimately be when high and critical vulnerabilities for this product line gradually slow to a trickle,” Tavakoli said.
JupiterOne CMO Tyler Shields noted that there has been a recent spike in exploit disclosure for SD-WAN, VPN, and other network-based technologies. He said this is due, in part, to the impact of the pandemic and an increase in network requirements for remote offices and work from home scenarios.
Shields added that discovery of exploits tends to cluster over time and said he expects additional network technology-based exploits to be disclosed as hackers continue to target those types of devices.
Dirk Schrader, global vice president of security research at New Net Technologies, echoed those remarks, telling ZDNet that because of their importance to the infrastructure, networking devices are, by nature, prime targets for cyber-criminals.
“Given the criticality of those vulnerabilities now patched by Cisco, it will be just a matter of time until the patch cycle race once again will distinct between those ahead of the curve and those behind,” Schrader said. “Running a full-scale vulnerability scan on the organization’s infrastructure, both from an external point as well as from an internal one, is necessary to be ahead.”