Get a demo
Voyager18 (research)

How to fix CVE-2023-20214 in Cisco SD-WAN

Cisco has addressed CVE-2023-20214 - a vulnerability in its SD-WAN vManage software that could lead to information leaks. Here's what we know.

Yair Divinsky | August 03, 2023

Tracked as CVE-2023-20214 with a CVSS score of 9.1, the flaw could be exploited by unauthenticated attackers to retrieve sensitive information from vulnerable instances. Unfortunately, there are no available workarounds to mitigate this risk.  

The vulnerability lies in the request authentication validation for the REST API feature of Cisco’s SD-WAN vManage software. Malicious actors can take advantage of this weakness to gain unauthorized access to the configuration of affected instances, posing a significant threat to the security of Cisco SD-WAN vManage installations.  

The root cause of the vulnerability can be attributed to inadequate request validation protocols within the REST API, which allows attackers to craft harmful API requests that bypass security measures. Immediate action is recommended to apply the security updates provided by Cisco to safeguard against potential exploitation.   

What is CVE-2023-20214?   

CVE-2023-20214 is a security vulnerability found in the Cisco SD-WAN vManage software. It stems from a weakness in the request authentication validation process within the REST API feature. Exploiting this flaw, an unauthenticated remote attacker could gain read permissions or limited write permissions to the configuration of a vulnerable Cisco SD-WAN vManage instance.  

The vulnerability occurs because of inadequate request validation when utilizing the REST API, allowing attackers to send specially crafted API requests to affected vManage instances. A successful exploit would enable the attacker to access and retrieve information from the configuration of the targeted Cisco vManage instance, as well as send data to it.  

It’s important to note that this vulnerability solely affects the REST API and does not impact the web-based management interface or the CLI of the SD-WAN vManage software.  

To address this critical issue, Cisco has released software updates that fix the vulnerability. Unfortunately, there are no known workarounds available to mitigate the risk, making it crucial for users to apply the provided updates promptly.    

Does CVE-2023-20214 affect me?  

The vulnerability affects vulnerable releases of Cisco SD-WAN vManage software.  

Cisco has also confirmed that this vulnerability does not affect the following Cisco products:  

IOS XE, IOS XE SD-WAN, SD-WAN cEdge Routers, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vSmart Controller Software    

CVE-2023-20214 affects vulnerable releases of Cisco SD-WAN vManage software:  

Cisco SD-WAN vManage Release  

First Fixed Release  

18.3  

Not affected.  

18.4  

Not affected.  

19.1  

Not affected.  

19.2  

Not affected.  

20.1  

Not affected.  

20.3  

Not affected.  

20.4  

Not affected.  

20.5  

Not affected.  

20.6.1  

Not affected.  

20.6.2  

Not affected.  

20.6.3  

Not affected.  

20.6.3.1  

Not affected.  

20.6.3.2  

Not affected.  

20.6.3.3  

20.6.3.4  

20.6.4  

20.6.4.2  

20.6.5  

20.6.5.5  

20.7  

Migrate to a fixed release.  

20.8  

Migrate to a fixed release.  

20.9  

20.9.3.2  

20.10  

20.10.1.2  

20.11  

20.11.1.2  

  

  

Has CVE-2023-20214 been actively exploited in the wild?  

As of now, there have been no reports of CVE-2023-20214 being actively exploited in the wild. While the successful execution of this exploit presents two concerning possibilities, Cisco’s security team has not identified any instances of this vulnerability being exploited in attacks.  

If this exploit were to be carried out, it could result in two troubling scenarios. Firstly, the attacker might gain unauthorized access to sensitive information from the configuration of the affected Cisco vManage instance, which poses a significant threat to network administrators. Secondly, the assailant could inject malicious information into the configuration, potentially causing severe disruptions and chaos within the system.  

It is essential to note that this vulnerability exclusively affects the REST API, leaving the web-based management interface and the Command Line Interface (CLI) unaffected. This distinction might divert suspicion from the actual source of the vulnerability.  

Despite the absence of reported exploits, it is still crucial for users to remain vigilant and apply the security updates provided by Cisco promptly to mitigate any potential risks. Proactive measures are essential to ensure the safety and security of the Cisco SD-WAN vManage instances.  

How to fix CVE-2023-20214  

While no workarounds yet exists to address this bug, implementing access control lists (ACLs) to limit vManage access mitigates the issue. Cisco has proven to perform swiftly to address this lurking threat, mobilizing fast by releasing software updates designed to patch the chink in its cyber security armor.  

“In cloud hosted deployments, access to vManage is limited by ACLs that contain permitted IP addresses. Network administrators should review and edit the permitted IP addresses in the ACLs. In on-premises deployments, vManage access can be limited in a similar way by using ACLs and configuring permitted IP addresses,” Cisco explains.  

The vulnerability has been addressed with the release of SD-WAN vManage versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. Versions 18.3 to 20.6.3.2 are not affected. Customers using SD-WAN vManage versions 20.7 and 20.8 are advised to migrate to a patched version.  

The first line of defense that network administrators could deploy is enabling Access Control Lists (ACLs). ACLs could provide a significant bulwark against potential attacks, thus substantially shrinking the attack surface by limiting the access to the vManage instance.  

In cloud-hosted deployments, access to vManage can be controlled using ACLs containing authorized IP addresses. Network administrators should perform a thorough review and make necessary adjustments to the allowed IP addresses within the ACLs. Similarly, on-premises deployments can restrict vManage access by employing ACLs and configuring permitted IP addresses.  

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. CVSS v4.0 – what you need to know
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management