Recent updates to Cisco’s SD-WAN and Cloud License Manager products have been released to address remotely exploitable buffer overflow and command injection vulnerabilities. The following SD-WAN products are vulnerable to CVE-2021-1300 and CVE-2021-1301:
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vManage Software
- SD-WAN vSmart Controller Software
CVE-2021-1138, CVE-2021-1140, and CVE-2021-1142 affect versions 5.1.0 and below of Cisco Smart Software Manager Satellite. Newer versions of this software have been renamed to Cisco Smart Software Manager On-Prem.
All of the vulnerabilities listed above were found by Cisco through internal testing and no evidence of exploitation of these vulnerabilities in the wild has been found.
Cisco has provided a helpful table in their security advisory for which SD-WAN updates to apply for each product. Cisco Smart Software Manager Satellite has been renamed to Cisco Smart Software Manager On-Prem and addresses the command injection vulnerabilities with version 6.3.0. Binary Defense highly recommends administrators update these products as soon as possible.