Security News > 2020 > March > Cisco fixes root privilege, command injection vulnerabilities in Cisco SD-WAN solution
Cisco has fixed five security vulnerabilities in its Software-Defined WAN Solution, two of which could allow an authenticated, local attacker to either gain root privileges on the underlying operating system or to inject arbitrary commands that are executed with root privileges.
While there is no indication that these flaw are being actively exploited, no workarounds addressing the vulnerabilities exist so upgrading to the Cisco SD-WAN Solution software release 19.2.2.
CVE-2020-3265 is a privilege escalation vulnerability that can be exploited by sending a crafted request to an affected system.
CVE-2020-3266 is a command injection vulnerability that can be exploited by submitting crafted input to the CLI utility.
CVE-2019-16012, a SQL injection vulnerability that could allow the attacker to modify values on, or return values from, the underlying database as well as the operating system.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/sU1aWCbNfKM/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-19 | CVE-2019-16012 | SQL Injection vulnerability in Cisco Sd-Wan Firmware A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 8.1 |
| 2020-03-19 | CVE-2020-3265 | Improper Privilege Management vulnerability in Cisco Sd-Wan Firmware A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. | 7.8 |
| 2020-03-19 | CVE-2020-3266 | OS Command Injection vulnerability in Cisco Sd-Wan Firmware A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. | 7.8 |