Cisco SD-WAN Denial of Service Vulnerabilities

Vulnerability

CVE-2021-1241 is a denial of service (DoS) vulnerability in the VPN tunneling features of Cisco SD-WAN vEdge Routers. The flaw is due to insufficient handling of malformed packets. An unauthenticated, remote attacker can trigger the vulnerability by sending specially crafted packets through the affected device. The vulnerability affects multiple Cisco SD-WAN software releases; administrators should refer to the Cisco advisory [1] for the full list of affected versions.

Exploitation

The attacker requires no authentication and no prior access to the device. Exploitation is performed by sending crafted packets destined to traverse the VPN tunnel of an affected vEdge Router. The attacker does not need to be on the same network segment as the target device; the attack can be launched from any network reachable by the device [1]. No user interaction or special timing is required.

Impact

Successful exploitation causes the vEdge Router to unexpectedly reboot, resulting in a complete denial of service for traffic traversing the device. The impact is limited to availability (CIA: availability only) and does not allow the attacker to read, modify, or exfiltrate data. The CVSS base score is 8.6 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H [1].

Mitigation

Cisco has released software updates that address this vulnerability; fixed versions are identified in the security advisory [1]. There are no workarounds available for this vulnerability. Administrators should upgrade to a patched software release as soon as possible. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].