The network appliances manufacturer giant Cisco published an advisory on 7th September 2022 (Updated on 09 September 2022) in which Cisco detailed an unauthenticated access vulnerability in Cisco SD-WAN vManage Software. The vulnerability tracked as CVE-2022-20696 is a High severity vulnerability with a CVSS score of 7.5 out of 10. The vulnerability is actually lice in the Cisco SD-WAN vManage Software that could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. Since this flaw allows the attacker to view and inject messages into the messaging service by connecting to the messaging service ports of the affected system, which can cause configuration changes or cause the system to reload, it is most important to fix the CVE-2022-20696 vulnerability. Let’s see how to fix CVE-2022-20696, an unauthenticated access vulnerability in Cisco SD-WAN vManage Software, in this post.
A Short Note on Cisco SD-WAN vManage Software
Cisco SD-WAN vManage software is a centralized management system that allows you to manage your Cisco SD-WAN network from a single pane of glass. It provides you with the ability to configure and monitor all aspects of your network, including routers, switches, and WAN Edge devices. vManage also gives you the ability to view end-to-end network performance and troubleshoot any issues that may arise. In addition, vManage provides granular control over traffic policies and routing decisions, allowing you to optimize your network for specific applications and workloads.
Summary of CVE-2022-20696
This is an Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software, a centralized management system that allows you to manage your Cisco SD-WAN network. The flaw is due to the lack of sufficient protection mechanisms in the messaging server container ports on an affected system. This vulnerability could allow attackers to view and inject messages into the messaging service by connecting to the messaging service ports of the affected system, which can cause configuration changes or cause the system to reload.
| Associated CVE ID | CVE-2022-20696 |
| Description | An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software |
| Associated ZDI ID | – |
| CVSS Score | 7.5 High |
| Vector | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Adjacent Network |
| Attack Complexity (AC) | High |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
“To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration.”
-Cisco
Cisco Products Vulnerable to CVE-2022-20696
Cisco advisory says that this Unauthenticated Access Vulnerability affects all Cisco devices if they are running a vulnerable version of Cisco SD-WAN vManage Software.
How to Fix CVE-2022-20696- An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software?
Since the vulnerability lice in the messaging server container ports in vulnerable versions of Cisco SD-WAN vManage Software, attackers could exploit the flaw on all Cisco devices running a vulnerable version of Cisco SD-WAN vManage Software by connecting to the messaging service ports of the affected system. As a workaround, network administrators are advised to block ports 4222, 6222, and 8222, ports used by Cisco SD-WAN vManage Software messaging services. In addition to this, the vendor asked admins to block these ports on perimeter security deployments like firewalls and Cloud Controllers.
See Also Decoding TLS v1.2 Protocol Handshake With Wireshark
Cisco has released security patches to fix the CVE-2022-20696 vulnerability. Please refer to this table to see the vulnerable versions of Cisco SD-WAN vManage Software Release with recommended fixes. We recommend upgrading to an appropriate fixed software release, as shown in the below table.
| Cisco SD-WAN vManage Software Release | First Fixed Release |
|---|---|
| Earlier than 20.3 | Migrate to a fixed release. |
| 20.3 | Migrate to a fixed release. |
| 20.6 | 20.6.4 |
| 20.7 | Migrate to a fixed release. |
| 20.8 | Migrate to a fixed release. |
| 20.9 | 20.9.1 |
How to Upgrade the vManage Software in Cisco SD-WAN?
Follow this simple procedure to upgrade the Cisco SD-WAN vManage Software.Source: SivakumarNetLabs
Time needed: 15 minutes.
How to Upgrade the vManage Software in Cisco SD-WAN?
- Browse Cisco Software Download Center.Cisco is serving a dedicated upgrade images for Cisco SD-WAN vManage Software on its Software Download Center: https://software.cisco.com/download/home/286320995/type
- Download the upgrade image from the Cisco Software Download Center.Click on ‘SD-WAN Software Update’ to and select the latest version available to download. In this case we have selected v20.3.1(ED). Download both the files if needed.
- Add the Upgrade image to the Cisco vManage Software.To upload the image to the Software Repository, Go to Maintenance -> Software Repository in the Cisco vManage console. Click the ‘Add new Software‘ dropdown and select ‘vManage‘ option.
Browse the image and upload the downloaded upgrade image to the Software Repository.
Note: Upload the vmanage-20.9.1-x86_64.tar.gz before uploading the viptela-20.9.1-x86_64.tar.gz.
- Apply the upgrade image.To apply the image, again go to Maintenance -> Software Upgrade. You will see three options, WAN Edge, Controller, and vManage. Select the vManage option. Click on the ‘Upgrade‘ then choose the version from the dropdown then click on the ‘Upgrade’ button.
The upgradation process will take few minutes to complete.
- Activate the upgrade package.The activation procedure is very simple and straight. Go to Maintenance -> Software Upgrade. Select the vManage option. Click on ‘Activate‘. then choose the version from the dropdown then click on the ‘Activate‘ button. SD-WAN appliance will reboot by itself as part of the activation process. That’s it. This is how you should upgrade the vManage Software on Cisco SD-WAN.
- Verify the vManage version on Cisco SD-WAN.Issue this command on CLI to see the version of vManage. Alternatively, you can go to Help -> About to see the version info on the GUI console.
# sh soft
Cisco Software Checker Utility
Cisco has published Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases. We recommend to use this awesome tool from Cisco to ensure no advisories are skipped to action against the discovered known vulnerabilities.
For Example: if you want to check the advisories for Cisco Nexus 3000 Nexus Switch running 7.0 NX-OS. Select your Cisco Operating System, NX-OS Platform, NX-OS release versions from the dropdown. Click Continue button. Select the Advisory Impact Rating then click Continue button again. You will see a list of Security Advisories That Affect This Release.
Cisco Switcher Not-Affected By CVE-2022-20696:
Cisco clearly says that these products are safe and not affected by the CVE-2022-20696 flaw. Administrators can ignore taking action on these products.
- IOS XE SD-WAN Software
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vSmart Controller Software
