Cisco recently disclosed 5 critical vulnerabilities in their SD-WAN Manager product that could allow remote attackers to gain unauthorized access, rollback configurations, disclose sensitive information, and cause denial of service conditions if left unpatched. Cisco SD-WAN Manager users should immediately assess their exposure and apply patches to avoid potential attacks leveraging these flaws. The newly discovered vulnerabilities highlight the increased attack surface and risks introduced when using centralized controllers for distributed networks.
Critical Unauthorized Access, Rollback, and Disclosure Vulnerabilities
The most severe of the vulnerabilities disclosed are:
- CVE-2023-20252: This critical 9.8 CVSS-rated vulnerability allows unauthenticated remote code execution via improper authentication on Cisco SD-WAN Manager SAML APIs. Successful exploitation gives an attacker full system access. This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. A successful exploit could allow the attacker to generate an authorization token sufficient to access the application.
- CVE-2023-20253: A high 8.4 CVSS-rated flaw allows authenticated users with read-only privileges to rollback controller configurations via the CLI. Attackers could leverage this to deploy malicious config changes. This vulnerability is due to improper access control enforcement on the Cisco Catalyst SD-WAN Manager CLI. An attacker with read-only access to the CLI could exploit this vulnerability by initiating a configuration rollback on the Cisco Catalyst SD-WAN Manager controller. A successful exploit could allow the attacker to roll back the configuration on an affected Cisco Catalyst SD-WAN Manager instance, which could then be deployed to the downstream routers
- CVE-2023-20034: This high 7.5 CVSS vulnerability enables unauthenticated information disclosure by accessing the Elasticsearch database. Attackers could view sensitive operational data. This vulnerability is due to improper access control on Cisco Catalyst SD-WAN Manager for the Elasticsearch service. An attacker could exploit this vulnerability by sending a crafted HTTP request to a reachable Cisco Catalyst SD-WAN Manager system. A successful exploit could allow the attacker to view the Elasticsearch database content as the Elasticsearch user.
- CVE-2023-20254: A high severity vulnerability in the session management system of the Cisco Catalyst SD-WAN Manager multi-tenant feature which could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance. This vulnerability is due to insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition.
- CVE-2023-20262:A vulnerability in the SSH service of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition for SSH access only. This vulnerability does not prevent the system from continuing to function, and web UI access is not affected.
These vulnerabilities demonstrate systemic security issues in Cisco SD-WAN Manager related to authentication, authorization, and access controls. An adversary able to exploit any of them could fully compromise the confidentiality, integrity, and availability of the controller.
Affected Systems and Versions
The critical unauthorized access and rollback vulnerabilities affect Cisco SD-WAN Manager versions 20.3 through 20.11. The information disclosure flaw impacts versions 20.3 to 20.9.
Cisco has released patches fixing the defects across affected versions. All users should upgrade to the latest available release. Delaying patches leaves organizations open to being compromised via these attack vectors.
| Release | CVE-2023-20252Critical SIR | CVE-2023-20253High SIR | CVE-2023-20034High SIR | CVE-2023-20254High SIR | CVE-2023-20262Medium SIR |
|---|---|---|---|---|---|
| Earlier than 20.3 | Not affected. | Not affected. | Migrate to a fixed release. | Not affected. | Migrate to a fixed release. |
| 20.3 | Not affected. | Not affected. | 20.3.4 | Not affected. | 20.3.7 |
| 20.4 | Not affected. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. |
| 20.5 | Not affected. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. | Migrate to a fixed release. |
| 20.6 | Not affected. | 20.6.2 | 20.6.1 | 20.6.3.4 | 20.6.6 |
| 20.7 | Not affected. | 20.7.1 | 20.7.1 | Migrate to a fixed release. | Migrate to a fixed release. |
| 20.8 | Not affected. | 20.8.1 | Not affected. | Migrate to a fixed release. | Migrate to a fixed release. |
| 20.9 | 20.9.41 | 20.9.1 | Not affected. | 20.9.3.2 | 20.9.3 |
| 20.10 | Not affected. | 20.10.1 | Not affected. | 20.10.1.2 | Migrate to a fixed release. |
| 20.11 | Migrate to a fixed release.1 | 20.11.1 | Not affected. | 20.11.1.2 | 20.11.1 |
| 20.12 | Not affected. | Not affected. | Not affected. | Not affected. | 20.12.1 |
Hardening Cisco SD-WAN Manager Security
In addition to patching, several best practices can help harden Cisco SD-WAN Manager environments against threats:
- Carefully restrict SAML API, CLI, and database access to the minimum necessary.
- Employ robust multi-factor authentication for admin access.
- Monitor logs and alerts for signs of unauthorized activity.
- Consider using a zero-trust network access model for controllers.
- Keep controllers fully isolated from external networks.
Controlling access is critical given the power centralized controllers have over overall network operations.
Recommended Actions for Customers
Organizations using affected Cisco SD-WAN Manager versions should immediately take these steps:
- Audit your deployment to identify vulnerable systems.
- Apply the latest patched controller release.
- Tighten access controls per the hardening tips above.
- Closely monitor logs and alerts for any sign of compromise.
- Consider perimeter controls like firewalls and IPS to detect and block attacks.
- Validate multi-factor authentication is required for admin access.
Taking prompt action is essential to mitigate risks from these vulnerabilities being exploited in the wild.
The Growing Threat Landscape for SD-WAN
The vulnerabilities in Cisco SD-WAN Manager highlight that SD-WAN environments face an evolving threat landscape. Attack surfaces are increasing as networks shift to dynamic distributed architectures managed through centralized controllers.
It’s critical that organizations maintain rigorous security protections, patching, and hardening for their SD-WAN deployments. Paying close attention to vendor security advisories and best practices is essential to avoiding compromise.
SD-WAN introduces powerful benefits but also risks. As adoption accelerates, so too will efforts by attackers to exploit potential vulnerabilities. Proper planning, controls, and response procedures are vital to enjoying SD-WAN’s advantages safely.
Bottom Line
The critical flaws uncovered in Cisco SD-WAN Manager serve as a reminder of the need for comprehensive security strategies tailored for SD-WAN environments. Rapid response to patches, hardening, logging, and access controls are key to reducing the risk of attacks via centralized controllers.