A critical vulnerability, designated as CVE-2023-20214, has been discovered in Cisco's SD-WAN vManage software. This flaw, with a severity rating of 9.1, has prompted Cisco to release security updates to rectify the issue.
The vulnerability is rooted in the request authentication validation for the software’s REST API. If exploited, it could provide an unauthenticated, remote attacker with unrestricted access to the configuration of an affected Cisco SD-WAN vManage instance. The issue arises from inadequate request validation procedures within the REST API feature. This vulnerability could allow malicious actors to construct harmful API requests that could bypass the security measures of the affected vManage instances.
Exploiting this vulnerability could result in two possible scenarios. The attacker could gain the ability to extract sensitive information from the configuration of the affected Cisco vManage instance. Alternatively, the attacker could inject information into the configuration, causing significant disruption. This vulnerability is particularly stealthy as it only impacts the REST API, leaving the web-based management interface and the Command Line Interface (CLI) unaffected.
The CVE-2023-20214 bug is present in vulnerable versions of Cisco SD-WAN vManage software. Cisco has taken swift action to address this vulnerability by releasing software updates. There are no direct workarounds to neutralize this vulnerability. Network administrators, however, can implement Access Control Lists (ACLs) as a first line of defense. By restricting access to the vManage instance, ACLs can significantly reduce the attack surface.
In cloud-hosted deployments, access to vManage can be restricted through ACLs composed of allowed IP addresses. Network administrators should carefully review and modify the permitted IP addresses within the ACLs. Likewise, on-premises deployments can limit vManage access by enforcing ACLs and configuring allowed IP addresses.
As per the latest update, the Cisco Product Security Incident Response Team (PSIRT) has not reported any public announcements or malicious uses of this vulnerability.