Cisco fixes critical SD-WAN API vulnerability
Take action: Usually SD-WAN management is an isolated system, so even though the severity is critical you don't need to panic. Lock down your vManage, check logs for issues and plan a controlled patch in the next month. Just don't ignore it, since someone else will eventually make a mistake and expose the vulnerable API interface.
Learn More
Cisco has issued a warning regarding an authentication vulnerability in the vManage software that comes with its SD-WAN solution specifically affecting the software's REST API, which could allow an unauthenticated remote attacker to gain read or limited write permissions to the configuration of the affected instance.
CVE-2023-20214, (CVSS score 9.1) - the REST API suffers from inadequate request validation, which allows attackers to send carefully crafted API requests to the vManage instance, enabling them to retrieve and manipulate information within the affected system.
Versions affected by the vulnerability include SD-WAN vManage versions:
- 20.6.3.3 (fixed version 20.6.3.4),
- 20.6.4 (fixed in 20.6.4.2),
- 20.6.5 (fixed in 20.6.5.5),
- 20.9 (fixed in 20.9.3.2),
- 20.10 (fixed in 20.10.1.2),
- 20.11 (fixed in 20.11.1.2).
Customers using versions 20.7 or 20.8 will need to migrate to a fixed release to mitigate the vulnerability.
Cisco recommends implementing access controls to restrict API access only to permitted IP addresses. This can be achieved by utilizing an access control list (ACL) to specify authorized sources.
Customers are advised to review the log file to observe access attempts to the API, but to proceed with further investigation since just the presence of equests in the log file does not inherently indicate unauthorized access.
