Security News > 2020 > March > Cisco fixes root privilege, command injection vulnerabilities in Cisco SD-WAN solution

Cisco fixes root privilege, command injection vulnerabilities in Cisco SD-WAN solution
2020-03-20 10:27

Cisco has fixed five security vulnerabilities in its Software-Defined WAN Solution, two of which could allow an authenticated, local attacker to either gain root privileges on the underlying operating system or to inject arbitrary commands that are executed with root privileges.

While there is no indication that these flaw are being actively exploited, no workarounds addressing the vulnerabilities exist so upgrading to the Cisco SD-WAN Solution software release 19.2.2.

CVE-2020-3265 is a privilege escalation vulnerability that can be exploited by sending a crafted request to an affected system.

CVE-2020-3266 is a command injection vulnerability that can be exploited by submitting crafted input to the CLI utility.

CVE-2019-16012, a SQL injection vulnerability that could allow the attacker to modify values on, or return values from, the underlying database as well as the operating system.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/sU1aWCbNfKM/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-03-19 CVE-2019-16012 SQL Injection vulnerability in Cisco Sd-Wan Firmware
A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
network
low complexity
cisco CWE-89
8.1
2020-03-19 CVE-2020-3265 Improper Privilege Management vulnerability in Cisco Sd-Wan Firmware
A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system.
local
low complexity
cisco CWE-269
7.8
2020-03-19 CVE-2020-3266 OS Command Injection vulnerability in Cisco Sd-Wan Firmware
A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges.
local
low complexity
cisco CWE-78
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751