Blog - Edgeium

DNA and SD WAN Critical Security Vulnerability Notice

Written by Eric Sommers | 06.20.2019

A new security vulnerability pushed Cisco to urge enterprise administrators to install critical security updates. As always, a SMARTnet contract is not necessary to obtain fixed software for security vulnerabilities.

Vulnerability Details

CVE-2019-1848 is a Cisco DNA Center authentication bypass vulnerability. Due to insufficient access restriction to the ports necessary for system operation, an attacker may reach internal services that are not hardened for external access. 9.3 (out of 10) CVSS score identifies this as a critical requirement to be addressed. A successful exploit could also let an unauthenticated attacker connect an unauthorized network device to the subnet designated for cluster services. Please ensure that you are running release 1.3 or newer. Fixed software is not available through Cisco’s software center. There is an “update” feature within the DNA Center that call for the fixed software.

CVE-2019-1625 is a Cisco SD-WAN privilege escalation vulnerability. The source is an insufficient authorization enforcement. It could allow the attacker to make config changes to the system as the root user. CVSS score of 7.8. Impacted is any release of Cisco’s SD-WAN Solution prior to 18.3.6, 18.4.1, and 19.1.0. 18.4.1 is the minimum recommended image.

“High” and “Critical” advisories listed below:

Advisory Alert Impact
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Security Vulnerability
Critical
Cisco SD-WAN Solution Privilege Escalation Security Vulnerability
Critical
Cisco DNA Center Authentication Bypass Security Vulnerability
Critical
Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability
High
Cisco TelePresence Endpoint Command Shell Injection Vulnerability
High
Cisco StarOS Denial of Service Vulnerability
High
Cisco SD-WAN Solution Privilege Escalation Vulnerability
High
Cisco SD-WAN Solution Command Injection Vulnerability
High
Cisco RV110W, RV130W, and RV215W Routers Management Interface Denial of Service Vulnerability
High
Cisco Meeting Server CLI Command Injection Vulnerability
High
Cisco Secure Boot Hardware Tampering Vulnerability
High
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
High
Cisco Industrial Network Director Remote Code Execution Vulnerability
High
Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco
Expressway Series Denial of Service Vulnerability
High
Cisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability
High

 

As Cisco continues to surge toward becoming a software company, please consider the potential impact that a major exploit could have on organizations if the market continues to adopt opening their networks to Cisco’s software development and new licensing model.

Its not a matter of “if,” but rather “when?”