• NL
  • FR
  • DE
  • EN
www.belgium.be Logo of the federal government

WARNING: Critical access control vulnerability in Cisco SD-WAN vManage API

Reference: 
Advisory #2023-82
Version: 
1.0
Affected software: 
Cisco SD-WAN vManage API
Type: 
Access control vulnerability
CVE/CVSS: 

CVE-2023-20214 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Sources

Risks

A critical access control vulnerability in the request authentication validation of the Cisco SD-WAN vManage API, could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.
This could allow an attacker to modify the configuration of devices managed by the Cisco SD-WAN vManage instance. On top of that, the attacker could gain valuable intelligence regarding the devices being used in the environment. This could lead to follow up attacks targeting vulnerable devices. 

Description

CVE-2023-20214 is an access control vulnerability (CWE-284) caused due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to a remote accessible affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance.
It is important to note that this vulnerability only affects the vManage API and not the web-based management interface or the CLI.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
There are no workarounds available, but Cisco recommend to reduce the attack surface by enabling access control list to limit access to the vManage instance. 

References