A critical severity vulnerability has been detected in the request authentication validation for the REST API of the Cisco SD-WAN vManage software. Cisco released a security warning alerting users to the CVE-2023-20214 critical vulnerability.
This could allow a remote, unauthenticated attacker to acquire read access or restricted write permissions to the configuration of an impacted Cisco SD-WAN vManage instance.
“This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance”, reads Cisco advisory.
Software patches from Cisco have been made available to fix this issue. There is no workarounds for this weakness.
Details of the Critical-Severity Vulnerability
The Cisco SD-WAN vManage API is a REST API used to control, configure, and monitor Cisco devices in an overlay network. The vManage API has the following use cases:
- Monitoring device status
- Configuring a device, such as attaching a template to a device
- Querying and aggregating device statistics
By sending a specifically constructed API request to the vulnerable vManage instances, the flaw, which results from insufficient request validation when using the REST API feature, can be exploited.
Attackers could be able to retrieve confidential information from the compromised machine, change certain configurations, stop network activities, and more.
“A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance,” Cisco.
“This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI.”
Affected Products
This flaw affects vulnerable versions of Cisco SD-WAN vManage software.
Products Not Affected
According to Cisco, the following Cisco products are not affected by this vulnerability:
- IOS XE
- IOS XE SD-WAN
- SD-WAN cEdge Routers
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vSmart Controller Software
Mitigation
According to Cisco, there are no workarounds for this vulnerability, but there are techniques to dramatically decrease the attack surface.
Control access lists (ACLs), which restrict access to vManage instances to just certain IP addresses, are encouraged for usage by network administrators as a way to keep out outside attackers.
Using API keys to access APIs is another strong security step; Cisco generally recommends this, although it is not a strict necessity for vManage implementations.
Administrators are also told to keep an eye on the logs for any attempts to use the REST API, which might be a sign of a vulnerability being exploited.
Use the command “vmanage# show log /var/log/nms/vmanage-server.log” to inspect the contents of the vmanage-server.log file.
Fixes Available
- v20.6.3.3 – fixed in v20.6.3.4
- v20.6.4 – fixed in v20.6.4.2
- v20.6.5 – fixed in v20.6.5.5
- v20.9 – fixed in v20.9.3.2
- v20.10 – fixed in v20.10.1.2
- v20.11 – fixed in v20.11.1.2
Cisco SD-WAN vManage Release | First Fixed Release |
18.3 | Not affected. |
18.4 | Not affected. |
19.1 | Not affected. |
19.2 | Not affected. |
20.1 | Not affected. |
20.3 | Not affected. |
20.4 | Not affected. |
20.5 | Not affected. |
20.6.1 | Not affected. |
20.6.2 | Not affected. |
20.6.3 | Not affected. |
20.6.3.1 | Not affected. |
20.6.3.2 | Not affected. |
20.6.3.3 | 20.6.3.4 |
20.6.4 | 20.6.4.2 |
20.6.5 | 20.6.5.5 |
20.7 | Migrate to a fixed release. |
20.8 | Migrate to a fixed release. |
20.9 | 20.9.3.2 |
20.10 | 20.10.1.2 |
20.11 | 20.11.1.2 |