Cisco is urging users to patch a vulnerability in the web-based management interface of Cisco-SD-WAN vManage Software that could allow a remote attacker to bypass authorization and access sensitive information, modify system configuration or impact the system’s availability.
The company released free software updates that address this vulnerability, the company said.
In an advisory, Cisco disclosed the vulnerability, which it said is due to insufficient authorization checking on the affected system.
An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system.
The vulnerability affects Cisco devices running on a vulnerable release of Cisco SD_WAN vManage Software.
However, it doesn’t affect these products, according to Cisco:
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Routers
- SD-WAN vSmart Controller Software
There are no workarounds, so customers using the vulnerable products should patch the software immediately. Devices using releases 18.3 or prior will need to updates software. Read Cisco’s advisory for more information on how to patch the vulnerability.
According to ZDNet, the bug was discovered during a Cisco investigation with a customer, and Cisco said it wasn’t aware of public exploits of this vulnerability.