A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.
{"threatpost": [{"lastseen": "2021-10-23T02:03:57", "description": "Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation vulnerability in the IOS IE operating system that could lead to arbitrary code execution.\n\nCisco\u2019s SD-WAN portfolio allows businesses of all sizes to connect disparate office locations via the cloud using various networking technologies, including standard internet connections. Appliances at each location enable advanced analytics, monitoring, application-specific performance specifications and automation for any connection across a company\u2019s wide-area network.\n\nIOS XE, meanwhile, is the vendor\u2019s operating system that runs those appliances. It\u2019s a combination of a Linux kernel and a monolithic application that runs on top of that kernel.\n\nThe bug (CVE-2021-1529) is an [OS command-injection issue](<https://cwe.mitre.org/data/definitions/78.html>), which enables attackers to execute unexpected, dangerous commands directly on the operating system that normally wouldn\u2019t be accessible. It specifically exists in the command-line interface (CLI) for Cisco\u2019s IOS XE SD-WAN software, and could allow an authenticated, local attacker to execute arbitrary commands with root privileges.\n\n\u201cThe vulnerability is due to insufficient input validation by the system CLI,\u201d according to Cisco\u2019s advisory, [posted this week](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A>). \u201cA successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.\u201d\n\nThe advisory also noted that the exploitation path would involve authenticating to a vulnerable device and submitting \u201ccrafted input\u201d to the system CLI. A successful compromise would give an attacker the ability to read and write any files on the system, perform operations as any user, change system configurations, install and remove software, upgrade the OS and/or firmware, and much more, including follow-on access to a corporate network.\n\nCVE-2021-1529 rates 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/cisco-releases-security-updates-ios-xe-sd-wan-software>) businesses should patch the bug as soon as possible.\n\nGreg Fitzgerald, co-founder at Sevco Security, warned that some organizations may have outdated boxes still attached to their networks, which can be a hidden danger with bugs like these.\n\n\u201cThe vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about,\u201d he said via email. \u201cThe problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can\u2019t patch a vulnerability for an asset they don\u2019t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.\u201d\n\nThis is only the latest SD-WAN vulnerability that Cisco has patched this year. In January, [it fixed](<https://threatpost.com/critical-cisco-sd-wan-bugs-rce-attacks/163204/>) multiple, critical buffer-overflow and command-injection SD-WAN bugs, the most serious of which could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges.\n\nIn May, Cisco addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of [which could allow](<https://threatpost.com/critical-cisco-sd-wan-hyperflex-bugs/165923/>) an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.\n\nAnd just last month, Cisco [disclosed](<https://threatpost.com/critical-cisco-bugs-wireless-sd-wan/174991/>) two critical security vulnerabilities affecting the IOS XE software and its SD-WAN, the most severe of which would allow unauthenticated RCE and denial-of-service (DoS).\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-10-22T14:48:26", "type": "threatpost", "title": "Cisco SD-WAN Security Bug Allows Root Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1529"], "modified": "2021-10-22T14:48:26", "id": "THREATPOST:BA0E5581F242C5682C0BAA251A227512", "href": "https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-18T15:34:12", "description": "A command injection vulnerability exists in the CLI of Cisco IOS XE SD-WAN Software due to insufficient input validation by the system CLI. An authenticated, local attacker can exploit this, by submitting crafted input to the system CLI, to execute arbitrary commands with root privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-22T00:00:00", "type": "nessus", "title": "Cisco IOS XE Software SD WAN Command Injection (cisco-sa-sd-wan-rhpbE34A)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1529"], "modified": "2021-10-27T00:00:00", "cpe": ["cpe:/o:cisco:ios_xe"], "id": "CISCO-SA-SD-WAN-RHPBE34A-IOSXE.NASL", "href": "https://www.tenable.com/plugins/nessus/154348", "sourceData": "#TRUSTED 233a753ca63c0e139f10b5c3d61c3b802296460ab2a5dbdfd2d9417a77dbe81eb914e4e347586f899bb7a8d55640596797ee964b9922fde3c34c238bb5497053990287415b852dbebb8ec6a2665a39d1fdce2c38f0618147c8afe7c884d00cd107ba9bd62c39bfc085e777bba1a9ebed0491106e8cf376d52e3e0ed97dfc518fc713dee93a92d6dda7ef99bb99e1b0b48dd5ac9f026448466d2142d7c917b2beae7506a3e9c24aae72a938353b20a2df875125498657c8a1e849d3baffe8736f1dc2c3c6005ee0d09dfbb6af652d3119ada823fcecdc5db3300a41dd3f9e1f384e590fda5e333ec3f9db7a4fd53add9dea49a8f844c754b362352a2cfe4699f9a0c1ab70930639454ac011caea32847ff90781eacda5a6a898855cdc28ae0c383c1e1ecac7cfd5be47329001fd54cfd52dad52e70352a7e859ac841de12d604d07516a8d5a00370ae1c9ed895b0be5d83511e9609ec77191d159e06c4f9ba7c7a68902d330257b077a4d2856e55a36e122918ba8400fa5fa312907b0a0cfe05c5c78d3f39ef2510ba2ffa450b644e425b509ab015e4534c0519fcf2d84dc76a8ff56f7fd65e3a45a6888d230a797cd54320b2dd2e883804207d93d27886b01ff4d665d129088077fe877cad5a6f1d7a452cb7124fe8ff02b913743e482efbc55e6f9c6a43033268a26a0f4012c5dadcb9dbc423dc386ee2b3205c72ad4da9680\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154348);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/27\");\n\n script_cve_id(\"CVE-2021-1529\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx50713\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-sd-wan-rhpbE34A\");\n script_xref(name:\"IAVA\", value:\"2021-A-0495\");\n\n script_name(english:\"Cisco IOS XE Software SD WAN Command Injection (cisco-sa-sd-wan-rhpbE34A)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A command injection vulnerability exists in the CLI of Cisco IOS XE SD-WAN Software due to insufficient input validation\nby the system CLI. An authenticated, local attacker can exploit this, by submitting crafted input to the system CLI, to\nexecute arbitrary commands with root privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2e79ed52\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx50713\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvx50713\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1529\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(78);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xe\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xe_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XE/Version\", \"Host/Cisco/IOS-XE/Model\", \"Host/Cisco/SDWAN\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nget_kb_item_or_exit('Host/Cisco/SDWAN');\nvar product_info = cisco::get_product_info(name:'Cisco IOS XE Software');\n\n# Affects Cisco ISR1000, ISR4000, ASR1000, CSR1000V and Catalyst 8000 series\nvar model = toupper(product_info['model']);\n\nif (('ISR' >!< model || model !~ \"[14][0-9]{3}\") &&\n ('ASR' >!< model || model !~ \"1[0-9]{3}\") &&\n ('CATALYST' >!< model || model !~ \"8[0-9]{3}\") &&\n ('CSR' >!< model || model !~ \"1[0-9]{3}\"))\n audit(AUDIT_DEVICE_NOT_VULN, model);\n\n# Vulnerable model list\n\nvar version_list=make_list(\n '16.9.1',\n '16.9.2',\n '16.9.3',\n '16.9.4',\n '16.10.1',\n '16.10.2',\n '16.10.3',\n '16.10.3a',\n '16.10.3b',\n '16.10.4',\n '16.10.5',\n '16.10.6',\n '16.11.1',\n '16.11.1a',\n '16.11.1b',\n '16.11.1d',\n '16.11.1f',\n '16.11.1s',\n '16.12.1',\n '16.12.1a',\n '16.12.1b',\n '16.12.1b1',\n '16.12.1c',\n '16.12.1d',\n '16.12.1e',\n '16.12.2r',\n '16.12.3',\n '16.12.4',\n '16.12.4a',\n '16.12.5'\n);\n\nvar reporting = make_array(\n 'port' , product_info['port'],\n 'severity' , SECURITY_WARNING,\n 'bug_id' , 'CSCvx50713',\n 'version' , product_info['version']\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_versions:version_list\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisco": [{"lastseen": "2023-05-25T14:38:23", "description": "A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges.\n\nThe vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A\"]", "cvss3": {}, "published": "2021-10-20T16:00:00", "type": "cisco", "title": "Cisco IOS XE SD-WAN Software Command Injection Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-1529"], "modified": "2022-02-17T18:13:49", "id": "CISCO-SA-SD-WAN-RHPBE34A", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A", "cvss": {"score": 7.8, "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}]}
CVE-2021-1529
