Cisco DNA allowed unauthorized users access to enterprise networks for a long time

IT systems audit specialists reported a critical vulnerability in the Cisco Digital Network Architecture Center (DNA) that, if exploited, could allow a non-authenticated threat actor to access critical internal system services.

Actually the company released 25 different updates for several of its products. Two of the patches fix critical vulnerabilities, seven are high-impact errors, and the remaining flaws are of medium severity. The vulnerability that experts consider most severe, CVE-2019-1848, exists due to insufficient restriction on access to the ports required for Cisco DNA system operation, which serves to manage and correct network errors. The vulnerability has received a score of 9.3/10 on the Common Vulnerability Scoring System (CVSS) scale.

IT systems audit experts say this vulnerability could be exploited by connecting an unauthorized device to the network. Impacted Cisco DNA versions are all earlier than 1.3, so system administrators will need to upgrade to a secure version.

Cisco SD-WAN, the company’s cloud architecture, also had to be updated as it had severe security flaws. The most severe of these failures, tracked as CVE-2019-1625, is privilege escalation vulnerability in the SD-WAN command-line interface. According to IT systems audit specialists, the vulnerability exists due to insufficient CLI authorization, so hackers could authenticate to a device to execute arbitrary commands and gain high privileges. The vulnerability impacts most Cisco solutions running an SD-WAN version earlier than 18.3.6, primarily routers for industrial environments.

Two other critical vulnerabilities were found in SD-WAN. CVE-2019-1624 allows hackers to inject arbitrary code with root user privileges. On the other hand, CVE-2019-1626 also exists in the SD-WAN web user interface and could allow a remote hacker to obtain elevated privileges on a compromised Cisco vManage device.

According to specialists from the International Institute of Cyber Security (IICS), there is no evidence of any in the wild exploitation attempt of these corrected vulnerabilities; however, administrators must update their systems as soon as possible.