Cisco has released patches to address flaws in their SD-WAN vManage and HyperFlex HX software that could allow unauthenticated users create admin accounts as a root user. Threat actors could utilize these flaws, if unpatched, to gain access to the application and execute arbitrary code. It is recommended to patch these applications as soon as possible to prevent this from occurring.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Unpatched instances of SD-WAN vManage or HyperFlex HX can be exploited to give an attacker further access to the application. Unauthenticated remote attackers can execute arbitrary code or gain access to sensitive information. Authenticated local attackers could gain escalated privilege or unauthorized access to the application. Even though some of these vulnerabilities affect software that is operating in cluster mode, it is important that these patches are installed.
WHY IS IT NOTEWORTHY?
Both of these applications are widely used and can be used as an attack vector to gain further access to the network. Some of these vulnerabilities can be exploited without credentials, which allow an attacker to gain access without first compromising credentials. Though there have been many patches before that address these sorts of issues, it is necessary that this latest patch is installed as well.
WHAT IS THE EXPOSURE OR RISK?
Once exploited, attackers have access to sensitive information, and may even be able to execute arbitrary code via the application. This can be used as an attack vector to gain further access into a network once exploited. Further compromise could lead to possible ransomware attacks or confidential information within the network being compromised.
WHAT ARE THE RECOMMENDATIONS?
There are various recommendations and preventative measures that can be implemented:
- Patch the affected applications as soon as possible and keep a proper patching routine to ensure all devices are up to date
- Have SKOUT Endpoint Protection installed on machines to prevent malicious execution of commands or code in memory or on disk.
- Ensure that your Cisco SD-WAN vManage software is not running in cluster mode if it shouldn’t be by checking the web-based management interface
- Administration -> Cluster Manage View
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.