Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
A vulnerability in the Cisco SD-WAN vManage management tool enables a remote, unauthenticated attacker to obtain read or restricted write capabilities to the configuration of the compromised instance.
Cisco SD-WAN vManage is a cloud-based solution that allows organizations to design, deploy, and manage distributed networks across multiple locations. vManage instances are deployments that may be used for centralized network management, configuring VPNs, orchestrating SD-WAN, deploying device configurations, enforcing policies, etc.
Yesterday, Cisco released a security bulletin advising of a critical-severity vulnerability, identified as CVE-2023-20214, in the request authentication validation for the REST API of Cisco SD-WAN vManage software.
Details on the Vulnerability: What Versions Are Affected?
The flaw is caused by insufficient request validation when using the REST API feature, which can be exploited by sending a special API request to the affected vManage instances.
If successful, this could enable attackers to read sensitive information from the compromised system, modify certain configurations, or disrupt network operations, to name a few.
A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance… This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI.
The Cisco SD-WAN vManage versions affected by CVE-2023-20214 are:
- 6.3.3 – fixed in v20.6.3.4
- 6.4 – fixed in v20.6.4.2
- 6.5 – fixed in v20.6.5.5
- 9 – fixed in v20.9.3.2
- 10 – fixed in v20.10.1.2
- 11 – fixed in v20.11.1.2
Cisco SD-WAN vManage versions 20.7 and 20.8 are also affected, but for those there won’t be any fixes released, so the users of these versions are advised to migrate to a different version. Versions between 18.x and 20.x not mentioned in the list are not impacted by the vulnerability.
Cisco says there are no workarounds for this vulnerability, however, there are ways to significantly reduce the attack surface. For instance, network administrators are advised to use access control lists (ACLs) that limit access to vManage instances only to specified IP addresses, shutting the door to external attackers.
Using API keys to access APIs is another strong security step. Cisco generally recommends this, although it is not a strict requirement for vManage implementations.
Admins are also instructed to monitor logs to detect attempts to access the REST API, indicating potential vulnerability exploitation. To view the content of the vmanage-server.log file, use the command “vmanage# show log /var/log/nms/vmanage-server.log”
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
