Cisco Security Advisory
Cisco Catalyst SD-WAN Manager Vulnerabilities
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an attacker to access an affected instance or cause a denial of service (DoS) condition on an affected system.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
-
Vulnerable Products
These vulnerabilities affect Cisco Catalyst SD-WAN Manager.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
- IOS XE Software
- SD-WAN cEdge Routers
- SD-WAN vEdge Routers
-
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other software vulnerabilities.
Details about the vulnerabilities are as follows:
CVE-2023-20252: Cisco Catalyst SD-WAN Manager Unauthorized Access Vulnerability
A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user.
This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. A successful exploit could allow the attacker to generate an authorization token sufficient to access the application.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwh03202
CVE ID: CVE-2023-20252
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-20253: Cisco Catalyst SD-WAN Manager Unauthorized Configuration Rollback Vulnerability
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with read-only privileges to bypass authorization and roll back controller configurations, which could then be deployed to the downstream routers.
This vulnerability is due to improper access control enforcement on the Cisco Catalyst SD-WAN Manager CLI. An attacker with read-only access to the CLI could exploit this vulnerability by initiating a configuration rollback on the Cisco Catalyst SD-WAN Manager controller. A successful exploit could allow the attacker to roll back the configuration on an affected Cisco Catalyst SD-WAN Manager instance, which could then be deployed to the downstream routers.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCvz62234
CVE ID: CVE-2023-20253
Security Impact Rating (SIR): High
CVSS Base Score: 8.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:HCVE-2023-20034: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability
A vulnerability in the access control implementation for Elasticsearch that is used in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to access the Elasticsearch database of an affected system with the privileges of the Elasticsearch user.
This vulnerability is due to improper access control on Cisco Catalyst SD-WAN Manager for the Elasticsearch service. An attacker could exploit this vulnerability by sending a crafted HTTP request to a reachable Cisco Catalyst SD-WAN Manager system. A successful exploit could allow the attacker to view the Elasticsearch database content as the Elasticsearch user.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCvw59643
CVE ID: CVE-2023-20034
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NCVE-2023-20254: Cisco Catalyst SD-WAN Manager Authorization Bypass Vulnerability
A vulnerability in the session management system of the Cisco Catalyst SD-WAN Manager multi-tenant feature could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance. This vulnerability requires the multi-tenant feature to be enabled.
This vulnerability is due to insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwf55823, CSCwf68936
CVE ID: CVE-2023-20254
Security Impact Rating (SIR): High
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HCVE-2023-20262: Cisco Catalyst SD-WAN Manager Denial of Service Vulnerability
A vulnerability in the SSH service of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition for SSH access only. This vulnerability does not prevent the system from continuing to function, and web UI access is not affected.
This vulnerability is due to insufficient resource management when an affected system is in an error condition. An attacker could exploit this vulnerability by sending malicious traffic to the affected system. A successful exploit could allow the attacker to cause the SSH process to crash and restart, resulting in a DoS condition for the SSH service.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwd46383
CVE ID: CVE-2023-20262
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
-
There are no workarounds that address these vulnerabilities.
-
Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.htmlAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
In the following table the first column lists Cisco Catalyst SD-WAN Manager releases and the subsequent columns indicate whether a release is affected by one or more of the vulnerabilities that are described in this advisory and the first fixed release for each vulnerability.
Release CVE-2023-20252
Critical SIRCVE-2023-20253
High SIRCVE-2023-20034
High SIRCVE-2023-20254
High SIRCVE-2023-20262
Medium SIREarlier than 20.3 Not affected. Not affected. Migrate to a fixed release. Not affected. Migrate to a fixed release. 20.3 Not affected. Not affected. 20.3.4 Not affected. 20.3.7 20.4 Not affected. Migrate to a fixed release. Migrate to a fixed release. Migrate to a fixed release. Migrate to a fixed release. 20.5 Not affected. Migrate to a fixed release. Migrate to a fixed release. Migrate to a fixed release. Migrate to a fixed release. 20.6 Not affected. 20.6.2 20.6.1 20.6.3.4 20.6.6 20.7 Not affected. 20.7.1 20.7.1 Migrate to a fixed release. Migrate to a fixed release. 20.8 Not affected. 20.8.1 Not affected. Migrate to a fixed release. Migrate to a fixed release. 20.9 20.9.41 20.9.1 Not affected. 20.9.3.2 20.9.3 20.10 Not affected. 20.10.1 Not affected. 20.10.1.2 Migrate to a fixed release. 20.11 Migrate to a fixed release.1 20.11.1 Not affected. 20.11.1.2 20.11.1 20.12 Not affected. Not affected. Not affected. Not affected. 20.12.1 1. For CVE-2023-20252, only releases 20.9.3.2 and 20.11.1.2 are affected. Previous releases in the 20.9 and 20.11 trains are not affected.The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
-
CVE-2023-20034, CVE-2023-20252, CVE-2023-20253, and CVE-2023-20262: These vulnerabilities were found during internal security testing.
CVE-2023-20254: Cisco would like to thank Heba Farahat and Hosam Gemei of Liquid C2 for reporting this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.3 Updated the fixed releases for CVE-2023-20262. Fixed Releases Final 2023-OCT-25 1.2 Updated the fixed releases for CVE-2023-20253 and CVE-2023-20254. Fixed Releases Final 2023-OCT-06 1.1 Updated the fixed release for CVE-2023-20252. Fixed Releases Final 2023-SEP-29 1.0 Initial public release. - Final 2023-SEP-27
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.