At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco IOS XE SD-WAN Software and had the SD-WAN feature enabled:
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Routers (ASRs)
- Cloud Services Router (CSR) 1000V Series
Note: The SD-WAN feature is not enabled by default.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the Device Configuration
There are two methods for determining whether the SD-WAN feature is enabled on a device:
Option 1: Use the show running-config | include sdwan Command
To determine whether sdwan mode is enabled on a device, use the show running-config | include sdwan command and check the tunnel mode in the output. If the command returns tunnel mode sdwan, the sdwan feature is enabled and the device is vulnerable. If the command returns no output or the command does not exist, the SD-WAN feature is not enabled and the device is not affected by this vulnerability.
The following example shows the output of the show running-config | include sdwan command on a device that has the SD-WAN feature enabled:
Router# show running-config | include sdwan
tunnel mode sdwan
Option 2: Use the show version Command
Alternatively, use the show version command to determine whether the Cisco IOS XE device is in Controller mode. The end of the output includes the router operating mode, which indicates whether the device is in Controller mode.
The following example shows part of the show version command output on a device that has the SD-WAN feature enabled:
Router# show version
Router operating mode: Controller-Managed
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS Software
- IOS XR Software
- Meraki products
- NX-OS Software