Home / About / Threat Intelligence / Remote Code Execution in Cisco IOS XE

Overview

Cisco have released patches for three critical vulnerabilities in their IOS XE software.

The most critical (CVE-2021-34770) affects Catalyst 9000 series wireless controllers and allows an attacker to run arbitrary code as root.

Another (CVE-2021-34727) would allow arbitrary root code execution on routers with SD-WAN enabled.

The third (CVE-2021-1619), an authentication bypass, would allow an unauthenticated attacker to change configuration on the device.

Impact

A remote attacker could execute code and take control of the affected devices.

Vulnerability Detection

Qualys and Nessus have plugins to detect this version of IOS XE.

Affected Products

CAPWAP RCE (CVE-2021-34770)

  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Series Wireless Controllers
  • Catalyst 9800-CL Wireless Controllers for Cloud
  • Embedded Wireless Controller on Catalyst Access Points

NETCONF/RESTCONF Auth bypass (CVE-2021-1619)

Cisco IOS XE Software if it is running in autonomous or controller mode and Cisco IOS XE SD-WAN Software. For either to be affected, all of the following must be configured:

AAA

NETCONF, RESTCONF, or both
enable password without enable secret

SD-WAN Buffer Overflow (CVE-2021-34727)

Any of the following with SD-WAN enabled (disabled by default)

  • 1000 Series Integrated Services Routers (ISRs)
  • 4000 Series ISRs
  • ASR 1000 Series Aggregation Services Routers
  • Cloud Services Router 1000V Series

Containment, Mitigations & Remediations

Update to the latest version.

More generally ACLs should be used to prevent attempted access to NETCONF and RESTCONF from untrusted subnets.

Cisco have published guidance on their website for hardening IOS devices.

Indicators of Compromise

Cisco are not aware of any in the wild exploitation of this vulnerability.

Threat Landscape

Cisco are one of the major vendors of networking equipment. Their products span domestic equipment to large, multinational organisation infrastructure. Some of the equipment identified as being vulnerable span small, medium, and large enterprise markets. The global prevalence of these devices and the ease and extent to which these vulnerabilities can be exploited mean that these devices will become key targets for malicious attackers and red teams.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability

Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability

Cisco IOS XE SD-WAN Software Buffer Overflow Vulnerability