On Wednesday, Cisco announced two critical security warnings in regard to issues with its SD-WAN software and DNA Center software.
The most critical warning was for Cisco's Digital Network Architecture (DNA) software that "could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services," according to the Cisco Security Advisory.
"The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services," according to the advisory. "A successful exploit could allow an attacker to reach internal services that are not hardened for external access."
The DNA Center security issue rated a 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS.) The vulnerability affects Cisco DNA Center software releases prior to 1.3. Cisco has released software updates that address this vulnerability, but it said there are no workarounds. Cisco said that system updates are available for installation from the Cisco cloud, but not from the Software Center on Cisco.com.
The Cisco DNA Center is the network management and command center for Cisco DNA. It uses software-defined access to help IT professionals establish polices that are provisioned through Cisco's DNA Automation.
In 2017, Cisco introduced intent-based networking with the launch of DNA Center at Cisco Live. At last week's Cisco Live conference, the company announced its AI Network Analytics will be a standard piece of Cisco DNA Center Assurance, and will be available in the next version of Cisco DNA Center, which is slated for release this summer. Cisco said AI Network Analytics would be included in the Cisco DNA Advantage licensing tier.
Threat to CLI of SD-WAN
The second critical warning was for vulnerability in the CLI (command line interface) of Cisco's SD-WAN solution, which could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device.
"The vulnerability is due to insufficient authorization enforcement," Cisco wrote in its security advisory. "An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow the attacker to make configuration changes to the system as the root user."
The SD-WAN critical security vulnerability has a CVSS score of 7.8. Cisco has released software updates that address this vulnerability, but said there are no workarounds that address it.
This SD-WAN vulnerability affects the following Cisco products that are running a release of the Cisco SD-WAN solution prior to releases 18.3.6, 18.4.1, and 19.1.0:
- vBond Orchestrator Software
- vEdge 100 Series Routers
- vEdge 1000 Series Routers
- vEdge 2000 Series Routers
- vEdge 5000 Series Routers
- vEdge Cloud Router Platform
- vManage Network Management Software
- vSmart Controller Software