Get in Touch
Remote Code Execution in Cisco IOS XE
Cisco have released patches for three critical vulnerabilities in their IOS XE software.
The most critical (CVE-2021-34770) affects Catalyst 9000 series wireless controllers and allows an attacker to run arbitrary code as root.
Another (CVE-2021-34727) would allow arbitrary root code execution on routers with SD-WAN enabled.
The third (CVE-2021-1619), an authentication bypass, would allow an unauthenticated attacker to change configuration on the device.
A remote attacker could execute code and take control of the affected devices.
Qualys and Nessus have plugins to detect this version of IOS XE.
CAPWAP RCE (CVE-2021-34770)
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Catalyst 9800-CL Wireless Controllers for Cloud
- Embedded Wireless Controller on Catalyst Access Points
NETCONF/RESTCONF Auth bypass (CVE-2021-1619)
Cisco IOS XE Software if it is running in autonomous or controller mode and Cisco IOS XE SD-WAN Software. For either to be affected, all of the following must be configured:
NETCONF, RESTCONF, or both
enable password without enable secret
SD-WAN Buffer Overflow (CVE-2021-34727)
Any of the following with SD-WAN enabled (disabled by default)
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Routers
- Cloud Services Router 1000V Series
Containment, Mitigations & Remediations
Update to the latest version.
More generally ACLs should be used to prevent attempted access to NETCONF and RESTCONF from untrusted subnets.
Cisco have published guidance on their website for hardening IOS devices.
Indicators of Compromise
Cisco are not aware of any in the wild exploitation of this vulnerability.
Cisco are one of the major vendors of networking equipment. Their products span domestic equipment to large, multinational organisation infrastructure. Some of the equipment identified as being vulnerable span small, medium, and large enterprise markets. The global prevalence of these devices and the ease and extent to which these vulnerabilities can be exploited mean that these devices will become key targets for malicious attackers and red teams.
– T1190 – Exploit Public-Facing Application
Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability
Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability
Cisco IOS XE SD-WAN Software Buffer Overflow Vulnerability