Cisco SD-WAN Arbitrary File Deletion Vulnerability

Vulnerability

The vulnerability resides in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software. Due to insufficient input validation, an authenticated local attacker can inject arbitrary file path information when using CLI commands, allowing deletion of arbitrary files from the file system. Affected versions include Cisco Standalone IOS XE SD-WAN releases 16.9 (no fixed release, migrate), 16.10 (fixed in 16.10.1), while 16.11 and 16.12 are not affected. For Cisco SD-WAN Software, releases 18.3 and earlier (migrate), 18.4 (fixed in 18.4.5), and 19.2, 20.3, 20.6, 20.9 are not affected [1].

Exploitation

An attacker must have authenticated local access to the affected device's CLI. The attacker then injects arbitrary file path information into specific CLI commands to target files for deletion. No additional user interaction or privileges beyond authentication are required [1].

Impact

Successful exploitation allows the attacker to delete arbitrary files from the file system of the affected device, potentially causing denial of service or rendering the device inoperable [1].

Mitigation

Fixed releases are available: Cisco IOS XE SD-WAN version 16.10.1 and Cisco SD-WAN Software version 18.4.5. For releases without a fix (e.g., 16.9 and earlier, 18.3 and earlier), customers should migrate to a fixed release. No workarounds are documented. Customers should consult the Cisco Security Advisory for the most current information [1].