Cisco SD-WAN vManage Impacted by Unauthenticated REST API Access

Cyber Security Threat Summary:
“The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations. vManage instances are deployments that might serve in centralized network management, setting up VPNs, SD-WAN orchestration, device configuration deployment, policy enforcement, etc” (Bleeping Computer, 2023).

This week, Cisco published a security bulletin on a new critical vulnerability tracked as CVE-2023-20214 which resides in the request authentication validation for the REST API of Cisco SD-WAN vManage software. The flaw is the result of insufficient request validation when using the REST API feature. This flaw can be exploited by sending a specially crafted API request to impacted vManage instances.

Security Officer Comments:
Attackers could use this vulnerability to read sensitive information from a compromised system, modify certain configurations, and even disrupt network operations. According to Cisco, the vulnerability only resides in the REST API and does not affect the web-based management interface or the CLI.

Cisco SD-WAN vManage releases affected by CVE-2023-20214 are:

  • v20.6.3.3 – fixed in v20.6.3.4
  • v20.6.4 – fixed in v20.6.4.2
  • v20.6.5 – fixed in v20.6.5.5
  • v20.9 – fixed in v20.9.3.2
  • v20.10 – fixed in v20.10.1.2
  • v20.11 – fixed in v20.11.1.2
Cisco SD-WAN vManage versions 20.7 and 20.8 are also impacted, but there won't be any fixes released for those two, so their users are advised to migrate to a different release. Versions between 18.x and 20.x not mentioned in the above list are not impacted by CVE-2023-20214.

Suggested Correction(s):
Cisco says there are no workarounds for this vulnerability; however, there are ways to reduce the attack surface significantly:

Network administrators are advised to use control access lists (ACLs) that limit access to vManage instances only to specified IP addresses, shutting the door to external attackers.

Another robust security measure is using API keys to access APIs, a general recommendation by Cisco but not a hard requirement for vManage deployments.

Admins are also instructed to monitor logs to detect attempts to access the REST API, indicating potential vulnerability exploitation.

Link(s):
https://www.bleepingcomputer.com/