Cisco SD-WAN vEdge Software Access Control List Bypass Vulnerability
TL;DR 📌
A vulnerability in Cisco SD-WAN vEdge Software could allow unauthenticated remote attackers to bypass access control lists (ACLs) on affected devices. This vulnerability has a medium severity rating (CVSS 5.8). Cisco has released fixed software and workarounds are available.
What happened 🕵️♂️
A vulnerability has been identified in the access control list (ACL) processing of IPv4 packets within Cisco SD-WAN vEdge Software. This flaw allows an unauthenticated remote attacker to bypass configured ACLs due to improper enforcement of the implicit deny rule at the end of an ACL. By exploiting this vulnerability, attackers can send unauthorized traffic to an affected device’s interface, potentially compromising network security.
Affected products 🖥️
The vulnerability affects Cisco SD-WAN vEdge Routers running vulnerable releases of Cisco SD-WAN vEdge Software. Specifically, the following versions are impacted:
- Cisco SD-WAN vEdge Software Release 20.9 (first fixed release: 20.9.7)
- Cisco SD-WAN vEdge Software Release 20.8 and earlier (not vulnerable)
- Cisco SD-WAN vEdge Software Release 20.10 and later (not vulnerable)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 20.8 and earlier | Not vulnerable | |
| 20.9 | 20.9.7 | |
| 1.0 | Initial public release. | |
| Cisco SD-WAN vEdge Software | 20.9.7 | 20.9 |
Workarounds 🧯
Administrators can implement a workaround by determining the most suitable ACL for their needs and configuring that single ACL type on the affected interface. However, it is crucial to evaluate the applicability and potential impact of this workaround in your specific environment before deployment.
Risk in context 🎯
The risk associated with this vulnerability is considered medium (CVSS 5.8). The exposure is primarily internet-facing, as it allows unauthenticated access. While there is no immediate availability impact, successful exploitation could lead to unauthorized access to network resources protected by ACLs. Organizations should assess their specific environments to understand the potential consequences of this vulnerability.
Fast facts ⚡
- Vulnerability: ACL Bypass in Cisco SD-WAN vEdge Software
- CVSS Score: 5.8 (Medium)
- Exploitation: Unauthenticated remote attackers can bypass ACLs
- Fixed Software: 20.9.7 for affected versions
- Workaround: Configure a single ACL type on the interface
For leadership 🧭
This vulnerability poses a medium risk (CVSS 5.8) due to the potential for unauthorized access to network resources through bypassed ACLs. It is primarily internet-facing, allowing exploitation without authentication. Cisco recommends patching affected devices within 7 days using the fixed software release 20.9.7.
Operational impact involves a brief maintenance window with no expected configuration drift.
Now: Assess affected devices and plan for immediate patching.
Next: Implement the recommended workaround if patching cannot be completed promptly.
Later: Review network security policies and ACL configurations to enhance overall security posture.
Be aware that while workarounds exist, they are temporary solutions until the fixed software is applied.