Cisco SD-WAN Denial of Service Vulnerabilities

Vulnerability

Multiple denial of service (DoS) vulnerabilities exist in Cisco SD-WAN vEdge Routers, vBond Orchestrator, vEdge Cloud Routers, vManage, and vSmart Controller software. The bugs are due to insufficient handling of malformed packets (CVE-2021-1241) and improper bounds checking in IPSec tunnel management (CVE-2021-1273). Affected versions are those prior to the software updates described in the advisory [1]. An unauthenticated, remote attacker can trigger a DoS condition by sending crafted IPv4 or IPv6 packets through the affected device [1].

Exploitation

No authentication or privileged network access is required. The attacker sends specially crafted packets to the target device. For CVE-2021-1241, the crafted packets must traverse the VPN tunnel on a vulnerable vEdge Router. For CVE-2021-1273, the attacker sends crafted IPv4 or IPv6 packets that are processed by the IPSec tunnel management forwarding plane. Successful exploitation does not require user interaction or any race condition [1].

Impact

A successful exploit causes the affected device to reboot, resulting in a complete denial of service. The impact is limited to availability (no data disclosure or code execution); however, because the target is a network infrastructure device, the DoS can disrupt network connectivity across the SD-WAN fabric [1].

Mitigation

Cisco has released software updates that address both vulnerabilities. There are no workarounds. Administrators should upgrade to fixed software versions as indicated in the Cisco Security Advisory [1]. If immediate patching is not possible, network segmentation and access control lists may reduce exposure but are not a substitute for the update. Neither CVE is known to be exploited in the wild or listed on CISA KEV as of the advisory date [1].