Cisco's SD-WAN vManage, a cloud-based solution used by organizations for managing distributed networks across multiple locations, has been found to contain a critical vulnerability. This flaw, identified as CVE-2023-20214, could be exploited by an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. The vManage instances, which are often used for centralized network management, VPN setup, SD-WAN orchestration, and policy enforcement, are susceptible to this vulnerability.
Cisco has released a security bulletin, detailing the vulnerability which lies in the request authentication validation for the REST API of the Cisco SD-WAN vManage software. The vulnerability occurs due to insufficient request validation when using the REST API feature. Attackers can exploit this flaw by sending a specially-crafted API request to the affected vManage instances. As a result, attackers could gain access to sensitive information, modify certain configurations, and disrupt network operations. Quoting Cisco's bulletin, 'A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance.' The vulnerability only affects the REST API and does not impact the web-based management interface or the CLI.
The affected releases of Cisco SD-WAN vManage include versions 20.7 and 20.8. However, no fixes will be provided for these versions, and users are advised to switch to a different release. Versions between 18.x and 20.x not mentioned in the bulletin are not affected by CVE-2023-20214. Cisco has stated that there are no workarounds for this vulnerability, but certain steps can be taken to minimize the attack surface.
Network administrators are recommended to use control access lists (ACLs) that restrict access to vManage instances to specific IP addresses, effectively blocking external attackers. Another recommended security measure is the use of API keys for accessing APIs, although this is not a strict requirement for vManage deployments. Administrators are also advised to monitor logs for attempts to access the REST API, as this could indicate potential exploitation of the vulnerability. To view the vmanage-server.log file, the command 'vmanage# show log /var/log/nms/vmanage-server.log' can be used.