The older authentication bypass flaws were exploited by a cyberespionage threat actor Cisco Talos tracks as UAT-8616. It’s not clear whether the new vulnerability was exploited by the same group as part of its campaigns against enterprise SD-WAN deployments, but it was reported to Cisco by Google’s Mandiant division, which specializes in incident response.
“This vulnerability is due to insufficient validation of user-supplied input,” Cisco said in its advisory. “An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.”
Mitigation
While a patch is not yet available, Cisco recommends upgrading to the latest available version to ensure the previous authentication bypass exploits don’t work. Customers should also check the configuration of their edge devices because the company has observed cases where exploitation of this flaw resulted in configuration changes.
Before upgrading SD-WAN deployments, users are advised to save all relevant log files and issue the request admin-tech command to collect the admin-tech file from each of the control components.
