Cisco SD-WAN vEdge Software Access Control List Bypass Vulnerability

A vulnerability exists in the access control list (ACL) processing of IPv4 packets in Cisco SD-WAN vEdge Software. This vulnerability allows an unauthenticated, remote attacker to bypass a configured ACL. The issue arises from improper enforcement of the implicit deny-all rule at the end of a configured ACL, enabling unauthorized traffic to be sent to an affected device's interface, thereby circumventing ACL protections.

Impact

Exploitation of this vulnerability could allow an attacker to bypass ACL protections on an affected device, potentially leading to unauthorized access or manipulation of network traffic. The specific impact would depend on the assets that the ACL was intended to protect.

Remediation

Cisco has released software updates to address this vulnerability. Administrators can upgrade to version 20.9.7 if they are on the 20.9 release. For those on versions 20.10 and later, this vulnerability does not apply. Workarounds are also available; administrators should configure the ACLs that best suit their needs on the affected interfaces.