Cisco has patched vulnerabilities in several versions of its Catalyst SD-WAN software.
The company said the vulnerabilities affect SD-WAN APIs, the command line interface (CLI) and an Elasticsearch implementation. They also introduce authentication and denial-of-service issues.
The most serious of the bugs is CVE-2023-20252, an unauthorised access vulnerability in Catalyst SD-WAN’s security assertion markup language (SAML) APIs. It has a CVSS score of 9.8.
“This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs,” the advisory stated.
This would give the attacker access to the application as an arbitrary user. There are no workarounds, so users will have to patch.
CVE-2023-20253, with a CVSS of 8.4, is a bug in SD-WAN’s command line interface (CLI) that allows an attacker to bypass a unit’s authentication and roll back a controller’s configurations, “which could then be deployed to the downstream routers.”
CVE-2023-20034 (CVSS 7.5) is described as “a vulnerability in the access control implementation for Elasticsearch that is used in Cisco Catalyst SD-WAN Manager”.
An unauthenticated remote attacker can access the Elasticsearch database of an affected system via a crafted HTTP request. This would let the attacker view the contents of the Elasticsearch database.
CVE-2023-20254 (CVSS 7.2) is a session management vulnerability that “could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance”.
“A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition,” the advisory stated.
Finally, with a CVSS of 5.3, CVE-2023-20262 allows an unauthenticated remote attacker to crash the SSH process.
The bugs affect various versions of the Catalyst SD-WAN software in the Version 20.n branch, with patches available for all affected products.