Conceptual image of micro circuit - Security vulnerability
triangle
triangle

Hardware |

Critical Security Vulnerability Notice in Cisco DNA and SD WAN

Cisco is urging enterprise administrators to install critical security updates. As always, a SMARTnet contract is not necessary to obtain fixed software for security vulnerabilities.

A new security vulnerability pushed Cisco to urge enterprise administrators to install critical security updates. As always, a SMARTnet contract is not necessary to obtain fixed software for security vulnerabilities.

Vulnerability Details

CVE-2019-1848 is a Cisco DNA Center authentication bypass vulnerability. Due to insufficient access restriction to the ports necessary for system operation, an attacker may reach internal services that are not hardened for external access. 9.3 (out of 10) CVSS score identifies this as a critical requirement to be addressed. A successful exploit could also let an unauthenticated attacker connect an unauthorized network device to the subnet designated for cluster services. Please ensure that you are running release 1.3 or newer. Fixed software is not available through Cisco’s software center. There is an “update” feature within the DNA Center that call for the fixed software.

CVE-2019-1625 is a Cisco SD-WAN privilege escalation vulnerability. The source is an insufficient authorization enforcement. It could allow the attacker to make config changes to the system as the root user. CVSS score of 7.8. Impacted is any release of Cisco’s SD-WAN Solution prior to 18.3.6, 18.4.1, and 19.1.0. 18.4.1 is the minimum recommended image.

“High” and “Critical” advisories listed below:

Advisory Alert Impact
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
Critical
Cisco SD-WAN Solution Privilege Escalation Security Vulnerability
Critical
Cisco DNA Center Authentication Bypass Security Vulnerability
Critical
Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability
High
Cisco TelePresence Endpoint Command Shell Injection Vulnerability
High
Cisco StarOS Denial of Service Vulnerability
High
Cisco SD-WAN Solution Privilege Escalation Vulnerability
High
Cisco SD-WAN Solution Command Injection Vulnerability
High
Cisco RV110W, RV130W, and RV215W Routers Management Interface Denial of Service Vulnerability
High
Cisco Meeting Server CLI Command Injection Vulnerability
High
Cisco Secure Boot Hardware Tampering Vulnerability
High
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
High
Cisco Industrial Network Director Remote Code Execution Vulnerability
High
Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco
Expressway Series Denial of Service Vulnerability
High
Cisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability
High

As Cisco continues to surge toward becoming a software company, please consider the potential impact that a major exploit could have on organizations if the market continues to adopt opening their networks to Cisco’s software development and new licensing model.

Its not a matter of “if,” but rather “when?”


IT professional provides support on laptop

Have Hardware Questions? Contact Us!

We specialize in IT hardware strategies for both new and pre-owned equipment to deliver equivalent performance at up to 90% savings. Edgeium equipment goes through testing to ensure it will lend dependable durable performance for your network.

Contact
Two men in a server room, looking at computer screens

Let’s review your network together. Next