Cisco Systems last week issued a security bulletin alerting users of its SD-WAN vManage management tool to a critical vulnerability that could allow unauthorized access to sensitive configuration data.
The flaw, identified as CVE-2023-20214, affects the request authentication validation for the REST API of Cisco SD-WAN vManage software.
“A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance,” said the Cisco alert.
A remote cyber threat actor could exploit these vulnerabilities to take control of an affected system.
In May, the company discovered a total of nine security vulnerabilities within its network switches.
These flaws possess the potential to empower malicious individuals with the ability to execute arbitrary code and gain unauthorized access to corporate networks.
Critical Cisco vulnerability and its reach
Cisco SD-WAN vManage is a cloud-based solution widely used by organizations to design, deploy, and manage distributed networks across multiple locations.
The compromised instances, referred to as vManage deployments, play a crucial role in centralized network management, VPN configuration, SD-WAN orchestration, device deployment, policy enforcement, and more.
This critical Cisco vulnerability arised due to insufficient request validation when utilizing the REST API feature, enabling remote and unauthenticated attackers to exploit this weakness by sending specially crafted API requests to the affected vManage instances.
“Exploiting this vulnerability could result in two possible scenarios. The attacker could gain the ability to extract sensitive information from the configuration of the affected Cisco vManage instance,” said an assessment report by Vulnera.
“Alternatively, the attacker could inject information into the configuration, causing significant disruption. This vulnerability is particularly stealthy as it only impacts the REST API, leaving the web-based management interface and the Command Line Interface (CLI) unaffected.
If successfully exploited, the attacker can gain unauthorized read access to sensitive information stored within the compromised system.
Moreover, they may also be able to modify certain configurations, disrupt network operations, or potentially execute other malicious activities.
It is important to note that this vulnerability solely affects the REST API functionality and does not impact the web-based management interface or the command-line interface (CLI) of the Cisco SD-WAN vManage tool, noted an analysis report by Heimdal Security.
To patch the critical Cisco vulnerability, the company has recommended all users of affected Cisco SD-WAN vManage versions to promptly update their installations to the corresponding fixed versions to ensure the security and integrity of their network configurations.
Patch management and critical Cisco vulnerability
Patches are out for the affected versions of vManage to address the critical Cisco vulnerability. The following versions are affected:
6.3.3 (Fixed in v188.8.131.52)
6.4 (Fixed in v184.108.40.206)
6.5 (Fixed in v220.127.116.11)
9 (Fixed in v18.104.22.168)
10 (Fixed in v22.214.171.124)
11 (Fixed in v126.96.36.199)
Additionally, versions 20.7 and 20.8 of Cisco SD-WAN vManage are also affected, but Cisco has decided not to release any fixes for these versions. Users of these versions are strongly advised to migrate to a different supported version.
“There are no workarounds that address this vulnerability,” said the Cisco alert.
“However, to mitigate this vulnerability and significantly reduce the attack surface, network administrators should enable access control lists (ACLs) to limit access to the vManage instance.”
To mitigate the risk posed by this vulnerability, network administrators are urged to implement certain security measures.
These include using access control lists (ACLs) to restrict access to vManage instances based on specified IP addresses, effectively limiting exposure to external attackers.
Furthermore, Cisco recommends the use of API keys to access APIs as a robust security practice. While not mandatory, it is highly recommended for all vManage implementations.
Network administrators should also proactively monitor logs for any suspicious activity related to attempts to access the REST API, as this could indicate potential exploitation of the vulnerability.
Specifically, the vmanage-server.log file should be examined using the command “vmanage# show log /var/log/nms/vmanage-server.log” to gain insight into the log contents.