Cisco addresses 3 critical vulnerabilities in IOS XE Software

Cisco fixed three critical flaws impacting IOS XE operating system powering some of its devices, such as routers and wireless controllers.

Cisco has addressed three critical vulnerabilities impacting its IOS XE operating system powering multiple products, including routers and wireless controllers.

The most severe of these vulnerabilities is a Remote Code Execution Vulnerability, tracked as CVE-2021-34770, in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controller.

“A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device.” reads the advisory published by Cisco.

The flaw is due to a logic error that occurs during the validation of CAPWAP packets. A remote, unauthenticated attacker can trigger the flaw by sending a specially crafted CAPWAP packet to a vulnerable device. Successful exploitation of the issue could allow the attacker to execute arbitrary code with administrative privileges or cause the device to crash and reload.

This vulnerability affects the following products if they are running a flawed Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Catalyst 9800-CL Wireless Controllers for Cloud
• Embedded Wireless Controller on Catalyst Access Points

Another critical-severity vulnerability addressed by the IT giant is a buffer overflow issue, tracked as CVE-2021-34727, in the vDaemon process in Cisco IOS XE SD-WAN Software. The flaw is due insufficient bounds checking and has been rated with a CVSS score of 9.8.

“A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device.” reads the security advisory. “This vulnerability is due to insufficient bounds checking when an affected device processes traffic. An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow and possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial of service condition.”

A remote, unauthenticated attacker can exploit this flaw by sending modified traffic to a vulnerable target device. Successful exploitation could lead to executing arbitrary commands with the highest privileges or trigger a denial-of-service (DoS) condition.

The issue affects the following products running an outdated version of Cisco IOS XE SD-WAN software and have the SD-WAN feature active (disabled by default):

• 1000 Series Integrated Services Routers (ISRs)
• 4000 Series ISRs
• ASR 1000 Series Aggregation Services Routers
• Cloud Services Router 1000V Series

The third critical flaw addressed by Cisco, tracked as CVE-2021-1619, is an authentication bypass vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE software.

“A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following:

• Install, manipulate, or delete the configuration of an affected device
• Cause memory corruption that results in a denial of service (DoS) on an affected device

This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device.” reads the advisory. “A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.”

Cisco experts are not aware of attacks in the wild exploiting the above critical vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]