Cisco addresses 3 critical vulnerabilities in IOS XE Software

Cisco fixed three critical flaws impacting IOS XE operating system powering some of its devices, such as routers and wireless controllers.

Cisco has addressed three critical vulnerabilities impacting its IOS XE operating system powering multiple products, including routers and wireless controllers.

The most severe of these vulnerabilities is a Remote Code Execution Vulnerability, tracked as CVE-2021-34770, in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controller.

“A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device.” reads the advisory published by Cisco.

The flaw is due to a logic error that occurs during the validation of CAPWAP packets. A remote, unauthenticated attacker can trigger the flaw by sending a specially crafted CAPWAP packet to a vulnerable device. Successful exploitation of the issue could allow the attacker to execute arbitrary code with administrative privileges or cause the device to crash and reload.

This vulnerability affects the following products if they are running a flawed Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers:

Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controller on Catalyst Access Points

Another critical-severity vulnerability addressed by the IT giant is a buffer overflow issue, tracked as CVE-2021-34727, in the vDaemon process in Cisco IOS XE SD-WAN Software. The flaw is due insufficient bounds checking and has been rated with a CVSS score of 9.8.

“A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device.” reads the security advisory. “This vulnerability is due to insufficient bounds checking when an affected device processes traffic. An attacker could exploit this vulnerability by sending crafted traffic to the device. A successful exploit could allow the attacker to cause a buffer overflow and possibly execute arbitrary commands with root-level privileges, or cause the device to reload, which could result in a denial of service condition.”

A remote, unauthenticated attacker can exploit this flaw by sending modified traffic to a vulnerable target device. Successful exploitation could lead to executing arbitrary commands with the highest privileges or trigger a denial-of-service (DoS) condition.

The issue affects the following products running an outdated version of Cisco IOS XE SD-WAN software and have the SD-WAN feature active (disabled by default):

1000 Series Integrated Services Routers (ISRs)
4000 Series ISRs
ASR 1000 Series Aggregation Services Routers
Cloud Services Router 1000V Series

The third critical flaw addressed by Cisco, tracked as CVE-2021-1619, is an authentication bypass vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE software.

“A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following:

Install, manipulate, or delete the configuration of an affected device
Cause memory corruption that results in a denial of service (DoS) on an affected device

This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device.” reads the advisory. “A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.”

Cisco experts are not aware of attacks in the wild exploiting the above critical vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.