The Cisco TAC support team has discovered a critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software. CVE-2023-20214 allows an unauthenticated attacker to retrieve information and send data to the configuration of the affected Cisco vManage instance.
The Cisco SD-WAN Solution provides an advanced, software-based solution that lowers the cost of maintaining enterprise networks. The software offers easy-to-use tools to streamline the provisioning and management of large and complex networks dispersed across numerous locations and geographies. Cisco SD-WAN comprises four components: Cisco vManage, Cisco vSmart Controller, Cisco vBond Orchestrator, Cisco IOS XE SD-WAN, and Cisco vEdge Devices.
Vulnerability Details
The vulnerability arises from insufficient request validation when using the REST API feature. By sending a specially crafted API request to an affected vManage instance, an attacker could gain read or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.
Cisco SD-WAN vManage REST API is used for:
- Monitoring device status
- Configuring a device, such as attaching a template to a device
- Querying and aggregating device statistics
The attempts to access the REST API can be identified by examining the log file located at the following path in the vManage filesystem: /var/log/nms/vmanage-server.log. Administrators can use the CLI command show log to view the content of the vmanage-server.log file.
The advisory mentions that the vulnerability only affects the REST API and does not affect the web-based management interface or the CLI. The following versions are unaffected by the vulnerability:
- IOS XE
- IOS XE SD-WAN
- SD-WAN cEdge Routers
- SD-WAN vEdge Routers
- SD-WAN vEdge Cloud Routers
- SD-WAN vSmart Controller Software
- SD-WAN vBond Orchestrator Software
Affected Versions
- Cisco SD-WAN vManage 20.6.3.3
- Cisco SD-WAN vManage 20.6.4 prior to 20.6.4.2
- Cisco SD-WAN vManage 20.6.5 prior to 20.6.5.5
- Cisco SD-WAN vManage 20.7
- Cisco SD-WAN vManage 20.8
- Cisco SD-WAN vManage 20.9 prior to 20.9.3.2
- Cisco SD-WAN vManage 20.10 prior to 20.10.1.2
- Cisco SD-WAN vManage 20.11 prior to 20.11.1.2
Mitigation
Customers must upgrade to the following patched versions:
- Cisco SD-WAN vManage 20.6.4.2
- Cisco SD-WAN vManage 20.6.5.5
- Cisco SD-WAN vManage 20.9.3.2
- Cisco SD-WAN vManage 20.10.1.2
- Cisco SD-WAN vManage 20.11.1.2
Customers can refer to the Cisco Security Advisory (cisco-sa-vmanage-unauthapi-sphCLYPA) for information about the vulnerability.
Qualys Detection
Qualys customers can scan their devices with QID 317336 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/system-overview.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA