Cisco fixed a critical flaw in SD-WAN vManage

Pierluigi Paganini July 17, 2023

Cisco warns of a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214, impacting its SD-WAN vManage.

Cisco addressed a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214 (CVSS Score 9.1), impacting its SD-WAN vManage.

An unauthenticated, remote attacker can exploit the vulnerability to gain read permissions or limited write permissions to the configuration of an affected instance.

“This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance.” reads the advisory published by the company. “A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance.”

Cisco SD-WAN vManage is a central management platform designed for Cisco’s Software-Defined Wide Area Network (SD-WAN) solution. SD-WAN technology is used to connect and manage networks across multiple locations, providing improved performance, scalability, and flexibility compared to traditional WAN architectures.

The IT giant pointed out that the security flaw only affects the REST API and does not impact the web-based management interface or the CLI.”

The vulnerability affects the following Cisco SD-WAN vManage releases:

  • v20.6.3.3 – fixed with the release v20.6.3.4
  • v20.6.4 – fixed with the release v20.6.4.2
  • v20.6.5 – fixed with the release v20.6.5.5
  • v20.9 – fixed with the release v20.9.3.2
  • v20.10 – fixed with the release v20.10.1.2
  • v20.11 – fixed with the release v20.11.1.2

According to the advisory, SD-WAN vManage versions 20.7 and 20.8 are also impacted, but for these versions the company recommends customers to migrate to a fixed release.

The company announced that there are no workarounds to address this vulnerability, however it recommends network administrators to reduce the attack surface by:

  • using access control lists (ACLs) to limit access to the vManage instance.
  • using API keys to access APIs.

The company also recommends examining the logs to detect attempts to access the REST API.

“Administrators can use the CLI command show log, as in the following example, to view the content of the vmanage-server.log file:

vmanage# show log /var/log/nms/vmanage-server.log

The Cisco PSIRT is not aware of any attacks in the wild exploiting the above vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

you might also like

leave a comment