Critical severity vulnerabilities could allow an unauthenticated cybercriminal to remotely perform a buffer overflow, potentially allowing command execution with root privileges, arbitrary code execution with administrator privileges, managing network devices or cause a denial of service condition on the device.
On the other hand, according to a publication made by the National Institute of Standards and Technologies of the United States, it is indicated that the vulnerable points and common exposures (CVE) related to said vulnerabilities are the following:
- CVE-2021-34770
- CVE-2021-34769
- CVE-2021-34768
- CVE-2021-34767
- CVE-2021-34740
Cisco has published 16 vulnerabilities, being 3 of critical severity and 13 of high severity, which affect multiple devices. These are some of the affected resources:
Cisco devices with a vulnerable version of Cisco IOS XE SD-WAN:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Routers
- Cloud Services Router 1000V Series
- Integrated Services Virtual (ISRv) Routers
Cisco devices with a vulnerable version of Cisco IOS XE for the Cisco Catalyst 9000 Family of Wireless Controllers:
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Catalyst 9800 Wireless Controllers for Cloud
- Catalyst 9800-CL Wireless Controllers for Cloud
- Embedded Wireless Controller on Catalyst Access Points
-Cisco IOS XE Software with Rate Limit NAT feature enabled
-Cisco EWC Software for Catalyst Access Points
Cisco access points with management through SSH enabled:
- Aironet 1540 Series APs
- Aironet 1560 Series APs
- Aironet 1800 Series APs
- Aironet 2800 Series APs
- Aironet 3800 Series APs
- Aironet 4800 APs
- Catalyst 9100 APs
- Catalyst IW 6300 APs
- ESW6300 Series APs
- Integrated Access Point on 1100 Integrated Services Routers
- Cisco devices with a vulnerable version of Cisco IOS or IOS XE and have the IKEv2 AutoReconnect feature enabled.
Cisco cBR-8 Converged Broadband Routers:
- With the SNMP server feature enabled.
- With Cisco IOS XE versions earlier than 16.12.1z1 or 17.3.1x, and have the COPS feature enabled
Cisco Aironet AP Access Points:
- 6300 Series Embedded Services APs
- Aironet 1540 Series
- Aironet 1560 Series
- Aironet 1800 APs
- Aironet 2800 Series APs
- Aironet 3800 Series APs
- Aironet 4800 APs
- Catalyst 9100 APs
- Catalyst IW6300 Heavy Duty Series APs
- Integrated APs on 1100 Integrated Services Routers (ISRs)
What is the solution?
Cisco has released free software updates that address the vulnerabilities described in this advisory.
In any case, Cisco advises that each company must ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be compatible with the new version. If in doubt, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.