Cisco is releasing updates that close a critical vulnerability in SD-WAN vManage software. The US Cyber Security Agency CISA warnsthat attackers from the network can abuse the vulnerability in order to gain complete control over affected systems.
Advertisement
The manufacturer Cisco explains in the security advisorythat a failure to authenticate requests to Cisco’s SD-WAN vManage REST API is problematic. It grants unauthenticated attackers from the network read rights or limited write access to the configuration of affected instances (CVE-2023-20214, CVSS 9.1risk “critical“).
Cisco vulnerability: REST API affected
The company states that neither the web-based administration interface nor the command lines are affected, only the REST API. However, since there is no workaround for the vulnerability, the API is active by default and cannot be deactivated. IT managers can find attempts to access the REST API in the log files. However, they must decide for themselves whether the requests are legitimate; Access alone does not mean that the vulnerability has been misused. The relevant log can be read with the command show log /var/log/nms/vmanage-server.log see. entries of the kind Request Stored in Map is (/dataservice/client/server) for user (admin) According to Cisco, indicate REST API access.
To mitigate the risk, Cisco recommends using Access Control Lists (ACL) to control access in the vManage instances. Ideally, however, administrators should install updated software. Cisco’s SD-WAN vManage is vulnerable from version 2.6.3.3 up to and including 20.11. Versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2 and 20.11.1.2 seal the security leak. If you are still using vManage 20.7 or 20.8, you should migrate to one of the aforementioned releases with fix.
A vulnerability in Cisco’s Nexus 9000 devices became known last week. This allows attackers to read and change encrypted traffic – but there is no update or workaround.
(dmk)