Cisco IOS XE SD-WAN Software Packet Filtering Bypass Vulnerability
TL;DR 📌
A medium-severity vulnerability has been identified in Cisco IOS XE SD-WAN Software that allows unauthenticated remote attackers to bypass Layer 3 and Layer 4 traffic filters. This could lead to unauthorized access to network resources. Users are advised to implement workarounds or upgrade to fixed software versions as soon as possible.
What happened 🕵️♂️
A vulnerability in the packet filtering features of Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to bypass Layer 3 and Layer 4 traffic filters. This issue arises from improper traffic filtering conditions on affected devices. By sending a crafted packet, an attacker could exploit this vulnerability to inject malicious packets into the network. Proof-of-concept exploit code is available, although there are no known instances of malicious exploitation at this time.
Affected products 🖥️
The following products are affected by this vulnerability:
- Cisco IOS XE Software releases 17.2.1r and later in Controller mode.
- Standalone Cisco IOS XE SD-WAN Software releases:
- 16.9.1 through 16.9.4
- 16.10.1 through 16.10.5
- 16.11.1a
- 16.12.2r through 16.12.4
Devices with SNMP enabled on any SD-WAN Tunnel interface are also vulnerable. If SNMP is not enabled, the device is not affected.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 1.1 | Clarified the vulnerable configuration. | |
| 1.0 | Initial public release. | |
| Cisco IOS and IOS XE Software | Not specified |
Workarounds 🧯
To mitigate this vulnerability, users can implement the following workarounds:
- Configure an extended access control list (ACL) to block and allow specific ingress and egress traffic to and from the device.
- Configure a device access policy to block unsolicited SNMP traffic.
These workarounds should be tested in your environment to ensure they do not negatively impact functionality or performance.
Risk in context 🎯
With a CVSS score of 5.3, this vulnerability is rated as Medium severity. The exposure is primarily driven by the fact that it is internet-facing and does not require authentication for exploitation. While the risk is moderate, the potential for unauthorized access to network resources necessitates prompt action.
Fast facts ⚡
- Vulnerability: Packet Filtering Bypass
- CVSS Score: 5.3 (Medium)
- Exploitation: Proof-of-concept code available
- SNMP Requirement: Vulnerable only if SNMP is enabled
- Workarounds: ACL configuration and device access policy adjustments
For leadership 🧭
This vulnerability presents a Medium risk to our network infrastructure, with a CVSS score of 5.3. It is exploitable by unauthenticated remote attackers, primarily affecting devices with SNMP enabled. Immediate remediation is advised, including patching within 7 days if fixes are available or implementing workarounds in the interim.
Operational impact is expected to be minimal, requiring a brief maintenance window with no anticipated configuration drift.
Now: Review affected devices and implement workarounds.
Next: Monitor for updates on fixed software releases.
Later: Plan for upgrades to the latest software versions once available.
Prompt action is essential to mitigate potential risks associated with this vulnerability.