Cisco SD-WAN Denial of Service Vulnerabilities

Vulnerability

Multiple denial of service (DoS) vulnerabilities exist in Cisco SD-WAN products, including vEdge Routers, vBond Orchestrator, vManage Software, vSmart Controller, and vEdge Cloud Routers. The vulnerabilities stem from insufficient handling of malformed packets and improper bounds checking in IPSec tunnel management. Affected software releases are those prior to the fixed versions provided in Cisco's advisory [1].

Exploitation

An unauthenticated, remote attacker can exploit these vulnerabilities by sending specially crafted IPv4 or IPv6 packets to an affected device. No authentication or user interaction is required. The attacker does not need prior access to the network beyond being able to send packets to the target device.

Impact

Successful exploitation causes the affected device to reboot or otherwise become unavailable, resulting in a denial of service condition. This can disrupt network operations and impact availability of SD-WAN services.

Mitigation

Cisco has released software updates that address these vulnerabilities. There are no workarounds. Users should upgrade to the latest fixed software versions as indicated in the Cisco Security Advisory [1].