Cisco SD-WAN vManage Mutiple High-Risk Vulnerability Alert

Cisco SD-WAN is the enterprise-wide area network solution proposed by Cisco. Cisco takes security capabilities as the core and integrates security capabilities into the entire SD-WAN solution through WAN device integration, providing comprehensive security protection against multiple threat scenarios. Cisco SD-WAN vManage provides an automated centralized management platform for Cisco SD-WAN.
CVE-2021-1479
On April 7, 2021, Cisco officially issued multiple vulnerability risk notices for SD-WAN vManage. The vulnerabilities of this notice are CVE-2021-1479, CVE-2021-1137, and CVE-2021-1480. It contains 1 serious vulnerability and 2 high-risk vulnerabilities. The CVSS score of this vulnerability is 9.8.

Vulnerability Detail

CVE-2021-1479: Cisco SD-WAN vManage Remote Management Buffer Overflow Vulnerability

A vulnerability in a remote management component of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.

CVE-2021-1137: Cisco SD-WAN vManage Privilege Escalation Vulnerability

A vulnerability in the user management function of Cisco SD-WAN Software could allow an authenticated, local attacker to gain escalated privileges on the underlying operating system.

CVE-2021-1480: Cisco SD-WAN vManage Privilege Escalation Vulnerability

A vulnerability in system file transfer functions of Cisco SD-WAN Software could allow an authenticated, local attacker to gain escalated privileges on the underlying operating system.

Affected version

Cisco SD-WAN vManage Release First Fixed Release First Fixed Release for all Vulnerabilities in this Advisory
18.4 and earlier Migrate to a fixed release. Migrate to a fixed release.
19.2 19.2.4 19.2.4
19.3 Migrate to a fixed release. Migrate to a fixed release.
20.1 Migrate to a fixed release. Migrate to a fixed release.
20.3 20.3.3 20.3.3
20.4 20.4.1 20.4.1

Solution

In this regard, we recommend that users upgrade Cisco SD-WAN vManage to the latest version in time.