The Cisco SD-WAN vManage management software is affected by a flaw that allows an unauthenticated remote attacker to obtain limited read or write permissions on the configuration of the affected instance.

Cisco SD-WAN vManage is a cloud-based solution for organizations to design, deploy, and manage distributed networks across multiple sites.

vManage instances are deployments that can be used for centralized network management, VPN configuration, SD-WAN orchestration, device configuration deployment, policy enforcement, and more.

Cisco released a security bulletin yesterday advising of a critical severity vulnerability in Request Authentication Validation for Cisco SD-WAN vManage Software REST API, tracked as CVE-2023-20214.

The flaw is caused by insufficient request validation when using the REST API function, which can be exploited by sending a specially crafted API request to the affected vManage instances.

This could allow attackers to read sensitive information from the compromised system, modify certain configurations, disrupt network operations, etc.

“A successful exploit could allow the attacker to retrieve information and send information to the configuration of the affected Cisco vManage instance”, reads the Cisco newsletter.

“This vulnerability only affects the REST API and does not affect the web management interface or the CLI.”

Fixes and workarounds

The versions of Cisco SD-WAN vManage affected by CVE-2023-20214 are:

• v20.6.3.3 – fixed in v20.6.3.4
• v20.6.4 – fixed in v20.6.4.2
• v20.6.5 – fixed in v20.6.5.5
• v20.9 – fixed in v20.9.3.2
• v20.10 – fixed in v20.10.1.2
• v20.11 – fixed in v20.11.1.2

Additionally, Cisco SD-WAN vManage versions 20.7 and 20.8 are also impacted, but no patches will be released for these two versions, so their users are advised to migrate to a different version.

Versions between 18.x and 20.x not mentioned in the list above are not impacted by CVE-2023-20214.

Cisco advises that there is no workaround for this vulnerability; however, there are ways to significantly reduce the attack surface.

Network administrators are advised to use Control Access Lists (ACLs) that limit access to vManage instances only to specified IP addresses, closing the door to external attackers.

Another robust security measure is to use API keys to access APIs, a general Cisco recommendation but not an absolute requirement for vManage deployments.

Administrators are also responsible for monitoring logs for attempts to access the REST API, indicating potential exploitation of vulnerabilities.

To view the contents of the vmanage-server.log file, use the command "vmanage# show log /var/log/nms/vmanage-server.log".