Cisco has fixed a High risk Cisco IOS XE SD-WAN Software command injection vulnerability that could lead to code execution as root. The tech giant also released security updates for Analog Telephone Adapter and Web Security Appliance vulnerabilities.
An attacker could exploit these vulnerabilities and potentially take over affected devices.
“The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges,” Cisco warned in the advisory on October 20, 2021.
Cisco confirmed the vulnerability (CVE-2021-1529) affects the following Cisco products when running vulnerable Cisco IOS XE Software:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Routers
- Catalyst 8000 Series Edge Platforms
- Cloud Services Router (CSR) 1000V Series.
The vulnerability has a CVSS base score of 7.8 and is rated High severity.
Other Cisco patches
In addition, Cisco also patched Cisco ATA 190 Series Analog Telephone Adapter Software vulnerabilities (CVE-2021-34710, CVE-2021-34735) and a Web Security Appliance Proxy Service denial of service vulnerability (CVE-2021-34698). The updates were released October 22, 2021.
Cisco also said it is not aware of any publicly known exploits of these vulnerabilities.
Readers can check out Cisco Security Advisories page for a full listing of the latest security updates on all Cisco products.
- Cisco fixes 5 High risk Cisco IOS XR Software vulnerabilities in multiple products
- Cisco fixes a Critical authentication bypass vulnerability in NFV Infrastructure Software TACACS+ AAA feature
- Cisco releases security update for Critical UPnP vulnerability in small business routers
- Cisco warns of active exploits against Cisco ASA XSS vulnerability (CVE-2020-3580)