Symptom
A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to escalate their privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must be authenticated on an affected device as a PRIV15 user.
This vulnerability is due to insufficient file system protection and the presence of a sensitive file in the bootflash directory on an affected device. An attacker could exploit this vulnerability by overwriting an installer file stored in the bootflash directory with arbitrary commands that can be executed with root-level privileges. A successful exploit could allow the attacker to read and write changes to the configuration database on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxesdwan-privesc-VP4FG3jD
Conditions
For information on fixed versions of software consult the Cisco IOS Software checker:
https://tools.cisco.com/security/center/softwarechecker.x
See Vulnerable Products Section of the advisory for full details:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxesdwan-privesc-VP4FG3jD#vp
Workaround
There are no workarounds that address this vulnerability.
Further Problem Description
Please refer to the Security Advisory.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 6:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVE ID CVE-2021-34724 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
