CVE-2018-0348

Name of the Vulnerable Software and Affected Versions Cisco SD-WAN Solution versions prior to 18.3.0 vBond Orchestrator Software versions prior to 18.3.0 vEdge 100 Series Routers versions prior to 18.3.0 vEdge 1000 Series Routers versions prior to 18.3.0 vEdge 2000 Series Routers versions prior to 18.3.0 vEdge 5000 Series Routers versions prior to 18.3.0 vEdge Cloud Router Platform versions prior to 18.3.0 vManage Network Management Software versions prior to 18.3.0 vSmart Controller Software versions prior to 18.3.0

Description A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The issue is due to insufficient input validation. An attacker could exploit this by authenticating to the device and submitting malicious input to the load command within the VPN subsystem. A successful exploit could allow an attacker to execute commands with root privileges.

Recommendations For versions prior to 18.3.0, update to Release 18.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected CLI parameter until a patch is available. Avoid using the load command within the VPN subsystem in the affected CLI until the issue is resolved.