Cisco SD-WAN vManage impacted by unauthenticated REST API access

Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations.

vManage instances are deployments that might serve in centralized network management, setting up VPNs, SD-WAN orchestration, device configuration deployment, policy enforcement, etc.

Cisco published a security bulletin on July 12th informing of a critical-severity vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software, tracked as CVE-2023-20214.

The flaw is caused by an insufficient request validation when using the REST API feature, which can be exploited by sending a specially-crafted API request to the affected vManage instances.

This could enable attackers to read sensitive information from the compromised system, modify certain configurations, disrupt network operations, and more.

"A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance," reads Cisco's bulletin.

"This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI."

Fixes and workarounds

Cisco SD-WAN vManage releases affected by CVE-2023-20214 are:

• v20.6.3.3 – fixed in v20.6.3.4
• v20.6.4 – fixed in v20.6.4.2
• v20.6.5 – fixed in v20.6.5.5
• v20.9 – fixed in v20.9.3.2
• v20.10 – fixed in v20.10.1.2
• v20.11 – fixed in v20.11.1.2

Moreover, Cisco SD-WAN vManage versions 20.7 and 20.8 are also impacted, but there won't be any fixes released for those two, so their users are advised to migrate to a different release.

Versions between 18.x and 20.x not mentioned in the above list are not impacted by CVE-2023-20214.

Cisco says there are no workarounds for this vulnerability; however, there are ways to reduce the attack surface significantly.

Network administrators are advised to use control access lists (ACLs) that limit access to vManage instances only to specified IP addresses, shutting the door to external attackers.

Another robust security measure is using API keys to access APIs, a general recommendation by Cisco but not a hard requirement for vManage deployments.

Admins are also instructed to monitor logs to detect attempts to access the REST API, indicating potential vulnerability exploitation.

To view the content of the vmanage-server.log file, use the command  "vmanage# show log /var/log/nms/vmanage-server.log".

Source: bleepingcomputer.com