A security flaw has been found in Cisco SD-WAN vManage, potentially allowing an unauthenticated attacker to bypass security measures for read and limited write access to the device. Cisco SD-WAN vManage is a centralized console for managing, configuring, and monitoring network devices. The flaw exists in vManage’s REST API, which does not adequately validate requests. A malicious actor could craft harmful API requests that bypass the security measures of the device, resulting in possible injection of information into the configuration, or extraction of sensitive information.
The vulnerability applies to applicable versions on or after 220.127.116.11 – See Table
This vulnerability is assigned CVE-2023-20214. This is considered a critical vulnerability, with a CVSS (severity) rating of 9.1. As of the writing of this post, the Cisco Product Security Incident Response Team (PSIRT) has not reported any public malicious exploitation of this vulnerability.
Check for Indicators of Compromise:
Administrators can use the CLI command show log to view the contents of the vmanage-server.log file.
If Request Stored in Map is (/dataservice/client/server) for user (admin) appears in the log, the REST API has received requests. An example of this type of traffic is shown at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA .
REST API requests do not necessarily indicate unauthorized access, just that attempts have been made to access the REST API.
Cisco has released free software updates that address this vulnerability. The patches are available through Cisco update channels. The procedure for updating depends on the customer’s service contract status. For more information, check the “Fixed Software” section of https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA .
More Reading On this Threat
Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA
How can Sedara Help?
Gain visibility across your entire network for real-time analysis and alerting of security events. Sedara’s 24x7x365 SOC can deploy and monitor a Security Information Event Management (SIEM) so that you can ignore the noise and take immediate action on security incidents.