Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, is vulnerable to multiple vulnerabilities. The vulnerabilities are tracked as CVE-2023-20034, CVE-2023-20252, CVE-2023-20253, CVE-2023-20254, & CVE-2023-20262, which have medium, high, and critical severities
Successful exploitation of the vulnerabilities may allow an attacker to access an affected instance or cause a denial of service (DoS) condition.
The Cisco SD-WAN Solution provides an advanced, software-based solution that lowers the maintenance cost of maintaining enterprise networks. The software offers easy-to-use tools to streamline the provisioning and management of large and complex networks dispersed across numerous locations and geographies.
CVE-2023-20252: Cisco Catalyst SD-WAN Manager Unauthorized Access Vulnerability
The vulnerability stems from the improper authentication checks for SAML APIs of Cisco Catalyst SD-WAN Manager. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. An unauthenticated, remote attacker could generate an authorization token sufficient to access the application on successful exploitation.
The vulnerability has been given a critical severity rating with a CVSS score of 9.8.
CVE-2023-20253: Cisco Catalyst SD-WAN Manager Unauthorized Configuration Rollback Vulnerability
The vulnerability arises from improper access control enforcement on the Cisco Catalyst SD-WAN Manager CLI. An authenticated, local attacker with read-only privileges may exploit this vulnerability by initiating a configuration rollback on the Cisco Catalyst SD-WAN Manager controller. The attacker might distribute the exploited Cisco Catalyst SD-WAN Manager instance to the downstream routers by using it to roll back the configuration on a vulnerable instance.
CVE-2023-20034: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability
The vulnerability originates from insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An authenticated, remote attacker may exploit this vulnerability by sending a crafted request to an affected system. On successful exploitation, an attacker may access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition.
CVE-2023-20262: Cisco Catalyst SD-WAN Manager Denial of Service Vulnerability
The vulnerability exists in the SSH service of Cisco Catalyst SD-WAN Manager due to insufficient resource management. The vulnerability is exploitable when an affected system is in an error condition. An unauthenticated, remote attacker may exploit this vulnerability by sending malicious traffic to the affected system. Successful exploitation would allow the attacker to cause the SSH process to crash and restart, resulting in a DoS condition for the SSH service.
Affected Versions
CVE-2023-20252:
- 20.9.3.2
- 20.11.1.2
CVE-2023-20253:
- Before 20.6.
- 20.7 before 20.7.1
- 20.8 before 20.8.1
- 20.9 before 20.9.1
- 20.10 before 20.10.1
- 20.11 before 20.11.1
CVE-2023-20034:
- Before 20.3.4
- 20.4prior to 20.6.1
- 20.7 before 20.7.1
CVE-2023-20254:
- Before 20.6.3.4
- 20.7 before 20.9.3.2
- 20.10 before 20.10.1.2
- 20.11 before 20.11.1.2
CVE-2023-20262:
- Before 20.3.7
- 20.4 before 20.9.3
- 20.11 before 20.11.1
- 20.12 before 20.12.1
Mitigation
Cisco has released patches for the vulnerabilities. Customers can refer to the Cisco Security Advisory (cisco-sa-sdwan-vman-sc-LRLfu2z) for information about the vulnerability.
Qualys Detection
Qualys customers can scan their devices with QIDs 317359, 317360, 317361, 317362, and 317363 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.