First published: Fri Oct 05 2018(Updated: )
A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Vedge 100 Firmware | <18.3.0 | |
Cisco Vedge 100 | ||
Cisco Vedge 1000 Firmware | <18.3.0 | |
Cisco Vedge 1000 | ||
Cisco Vedge 2000 Firmware | <18.3.0 | |
Cisco Vedge 2000 | ||
Cisco Vedge 5000 Firmware | <18.3.0 | |
Cisco Vedge 5000 | ||
Cisco Vmanage Network Management System |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2018-0434.
The severity rating of CVE-2018-0434 is 7.4 (High).
The Cisco SD-WAN Solution with vEdge firmware up to version 18.3.0 is affected by CVE-2018-0434.
An attacker can exploit this vulnerability by using an invalid certificate to gain unauthorized access to sensitive data.
Yes, you can find references for CVE-2018-0434 at the following links: [SecurityFocus](http://www.securityfocus.com/bid/105294) and [Cisco Security Advisory](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-validation).