Cisco has identified a critical vulnerability in the vContainer of its SD-WAN Solution that could allow a remote attacker to cause a denial-of-service attack.
The vulnerability stems from improper bounds checking by the vContainer, which could be exploited by an attacker to send malicious files to an affected instance. The attacker could cause a buffer overflow condition on the vContainer, resulting in a denial-of-service condition and allow them to execute arbitrary code as the root user.
The issue affects Cisco vSmart Controller software that's running a version of Cisco's SD-WAN Solution prior to Release 18.4.0. IT only affects the Cisco-hosted vContainer for the SD-WAN Solution.
Cisco has already issued a fix for the vulnerability, but end-users won't be able to install the free update themselves. Instead, the company said customers must engage their Cisco support contact to deploy the fix.
There are no known workarounds to fix the issue. Cisco's full security advisory notice can be accessed here.
In December 2018, the company revealed another critical vulnerabilty that affected its license manager product that could allow attackers to execute arbitrary SQL queries in Cisco Prime License Manager. The vulnerability was caused by a lack of proper validation of user-supplied input in SQL queries.