Cisco released updates on Wednesday to fix dozens of bugs in its products, including crucial flaws in SD-WAN software and the HyperFlex HX data platform.
Two critical bugs, as well as three high-severity problems, were patched in the SD-WAN vManage software. The bugs are not interdependent, and their exploitation does not necessitate the exploitation of others.
Unauthenticated, remote attackers could use one of the critical flaws (CVE-2021-1468, CVSS score 9.8) to call privileged actions and even build new administrative accounts, allowing them to access, alter, or remove data. The second critical flaw (CVE-2021-1505, CVSS 9.1) affects SD-WAN vManage’s web-based management interface and could enable attackers to achieve elevated privileges.
The SD-WAN vManage high-severity flaws could be used to achieve elevated privileges (CVE-2021-1508), trigger a denial of service situation (CVE-2021-1275), or gain unauthorised access to services (CVE-2021-1506).
According to Cisco, there are no workarounds for these flaws. IOS XE SD-WAN, SD-WAN vEdge routers, SD-WAN vBond Orchestrator, SD-WAN vEdge cloud routers, and SD-WAN vSmart Controller software are among the affected products.
Cisco also released patches on Wednesday for a critical flaw in the HyperFlex HX installer virtual machine’s web-based management interface, which could enable attackers to run commands as root. The bug, identified as CVE-2021-1497, has a CVSS score of 9.8 and was patched alongside a high-severity flaw (CVE-2021-1498, CVSS score 7.3) that also allows for command injection attacks.
SD-WAN, Small Business 100, 300, and 500 series routers, Enterprise NFV Infrastructure Software (NFVIS), Unified Communications Manager IM & Presence Service, and AnyConnect Secure Mobility Client for Windows all had high-severity vulnerabilities patched. Cisco also fixed a number of medium-severity bugs in its SD-WAN and other products.