CVE-2020-26071
📋 TL;DR
This vulnerability allows authenticated local attackers on Cisco SD-WAN devices to create or overwrite arbitrary files through insufficient input validation in CLI commands. This could lead to denial of service conditions by corrupting critical system files. Only users with local CLI access on affected Cisco SD-WAN devices are impacted.
💻 Affected Systems
- Cisco SD-WAN Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file corruption leading to persistent DoS, requiring device reimaging or replacement.
Likely Case
Local authenticated attacker causes service disruption by overwriting configuration or system files, resulting in temporary DoS.
If Mitigated
No impact if proper access controls prevent unauthorized local access and commands are validated.
🎯 Exploit Status
Requires authenticated CLI access but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.3.1, 20.4.1, 20.5.1 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vsoln-arbfile-gtsEYxns
Restart Required: Yes
Instructions:
1. Download appropriate fixed version from Cisco Software Center. 2. Backup current configuration. 3. Upgrade to fixed version following Cisco SD-WAN upgrade procedures. 4. Verify upgrade completion and functionality.
🔧 Temporary Workarounds
No workarounds available
allCisco states there are no workarounds for this vulnerability
🧯 If You Can't Patch
- Restrict local CLI access to only authorized administrators using RBAC
- Monitor and audit CLI command usage for suspicious file manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Check SD-WAN software version with 'show version' command and compare to affected versionsCheck Version:
show version | include VersionVerify Fix Applied:
Verify version is 20.3.1, 20.4.1, 20.5.1 or later using 'show version' command📡 Detection & Monitoring
Log Indicators:
- Unusual CLI command patterns with file path arguments
- Multiple failed file operations in system logs
- Unexpected file creation/modification events
Network Indicators:
- N/A - local exploitation only
SIEM Query:
source="cisco_sdwan" AND (event_type="cli_command" AND command CONTAINS "file" AND arguments CONTAINS "/" OR "..")