Federal agencies have until Friday evening to update certain Cisco networking devices that are vulnerable to compromise, the Cybersecurity and Infrastructure Security Agency said on Tuesday.
In an emergency directive about Cisco’s Software-Defined Wide-Area Networking (SD-WAN) systems, CISA said it was “aware of a cyber threat actor’s ongoing exploitation” of two vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices and called the activity “an imminent threat to federal networks.”
The directive requires agencies to identify all covered Cisco devices, report them to CISA and collect log data from them by the end of Thursday. Agencies then have until 5 p.m. Eastern Time on Friday to apply Cisco’s patches for the vulnerabilities. After that, agencies must scan their networks for signs of compromise and, if applicable, report any intrusions to CISA. They then must harden their Cisco SD-WAN devices using CISA’s guidance.
CISA also directed agencies to report back on their log collection, patching, hunting and hardening activities. It said it would report to the secretary of homeland security, the national cyber director and the Office of Management and Budget by May 1 on agencies’ compliance with the directive.
Global cyber threat to businesses
Federal agencies are not the only organizations at risk in these attacks. In a public alert about the exploitation activity, CISA, the National Security Agency and cyber agencies from Australia, Canada, New Zealand and the U.K. urged businesses and other organizations not covered by the emergency directive to patch their affected Cisco devices, analyze them for signs of compromise and harden them against future intrusions.
The Australian Signals Directorate’s Australian Cyber Security Centre published guidance for threat hunting associated with the Cisco vulnerabilities.
In its emergency directive, CISA cited two vulnerabilities: a newly disclosed authentication-bypass flaw and an older privilege-escalation flaw. Hackers have been using them in tandem to breach and maintain “long-term persistence” on affected devices, the agency said in its alert.
Cisco’s advisories describe and offer patches for the authentication-bypass flaw, which affects the Catalyst SD-WAN Controller, as well as five other vulnerabilities affecting Catalyst SD-WAN Manager that the company discovered while addressing the Controller flaw.
The six newly disclosed vulnerabilities carry severity ratings of “critical,” while the older flaw is considered high severity.
