Cisco patched critical and high severity holes in its Policy Suite, SD-WAN, and Nexus products.
All the issues ended up discovered internally, so Cisco officials said they feel there are no active exploits occurring at this time.
Cisco officials alerted users of its Policy Suite to upgrade to release 18.2.0 as soon as possible because it incorporates fixes for four critical vulnerabilities:
• CVE-2018-0375 is for the Cluster Manager of the Suite that could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials, and to execute arbitrary commands as the root user.
• CVE-2018-0374 is for the Policy Builder database of the Suite that could be exploited by an unauthenticated, remote attacker to access and change any data in the Policy Builder database.
• CVE-2018-0376 is for the Policy Builder interface of the Suite that end up leveraged by an unauthenticated, remote attacker to access the Policy Builder interface and to make changes to existing repositories and create new repositories.
• CVE-2018-0377 is for the Open Systems Gateway initiative (OSGi) interface of the Suite that could end up exploited by an unauthenticated, remote attacker to access or change any files accessible by the OSGi process.
Cisco SD-WAN is a cloud-delivered overlay WAN architecture for enterprises. It suffers from high severity flaws like remote code execution, command injection, denial of service (DoS) and arbitrary file overwrite flaws.
Users of the vBond Orchestrator Software, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software, and various series of the vEdge routers should check which Cisco SD-WAN release they are running. If it’s a release prior to release 18.3.0 they should upgrade to that version as there are no workarounds available for any of these vulnerabilities.
Cisco Nexus 9000 Series Fabric Switches in ACI Mode running software version 13.0(1k) should also be updated to the version 13.0(2k) and later to plug a DoS flaw found during the resolution of a Cisco Technical Assistance Center (TAC) support case.