Security News > 2021 > September > Critical Cisco Bugs Allow Code Execution on Wireless, SD-WAN
Cisco is warning three critical security vulnerabilities affect its flagship IOS XE software, the operating system for most of its enterprise networking portfolio.
The most severe of the critical bugs is an unauthenticated remote-code-execution and denial-of-service bug, affecting the Cisco Catalyst 9000 family of wireless controllers.
Boasting a rare 10 out of 10 CVSS vulnerability-severity rating, the issue specifically exists in the control and provisioning of wireless access points protocol processing used by the Cisco IOS XE software that powers the devices.
"An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition."
RCE and DoS for Cisco SD-WAN. The next two critical bugs both rate 9.8 out of 10 on the CVSS scale.
The last critical bug is an authentication-bypass vulnerability in the IOS XE software - specifically affecting the network configuration protocol used to install, manipulate and delete the configuration of network devices through a network management system; and the RESTCONF protocol, which is a REST-based HTTP interface used to query and configure devices with NETCONF configuration datastores.
News URL
https://threatpost.com/critical-cisco-bugs-wireless-sd-wan/174991/
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)