Security News > 2021 > January > Cisco fixes critical pre-auth bugs in SD-WAN, cloud license manager

Cisco fixes critical pre-auth bugs in SD-WAN, cloud license manager
2021-01-20 14:25

Cisco has released security updates to address pre-auth remote code execution vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software.

Unauthenticated attackers can remotely exploit buffer overflow and command injection bugs to execute arbitrary code or to run arbitrary commands on the underlying operating system of devices running vulnerable releases of SD-WAN and Cisco Smart Software Manager Satellite software.

Pre-auth RCE vulnerabilities affecting Cisco's cloud licensing manager are tracked as CVE-2021-1138, CVE-2021-1140, and CVE-2021-1142.

Cisco has fixed them in versions 6.3.0 and later and has renamed Cisco Smart Software Manager Satellite to Cisco Smart Software Manager On-Prem.

Cisco today also addressed critical command injection vulnerabilities impacting SD-WAN products and the Command Runner tool of Cisco DNA Center.

In November, the company also patched multiple pre-authentication vulnerabilities with public exploits in the Cisco Security Manager exposing affected devices to remote code execution attacks.


News URL

https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-pre-auth-bugs-in-sd-wan-cloud-license-manager/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-20 CVE-2021-1138 OS Command Injection vulnerability in Cisco Smart Software Manager Satellite 5.1.0
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.
network
low complexity
cisco CWE-78
critical
9.8
2021-01-20 CVE-2021-1140 OS Command Injection vulnerability in Cisco Smart Software Manager Satellite 5.1.0
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.
network
low complexity
cisco CWE-78
critical
9.8
2021-01-20 CVE-2021-1142 OS Command Injection vulnerability in Cisco Smart Software Manager Satellite 5.1.0
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.
network
low complexity
cisco CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751