{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-049.pdf"
    },
    "title": "Critical Vulnerability in Cisco SD-WAN vManage",
    "serial_number": "2023-049",
    "publish_date": "17-07-2023 09:05:59",
    "description": "On July 12, 2023, Cisco released an advisory to address a critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software. Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. The vulnerability could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. It is tracked as \"CVE-2023-20214\" and has a CVSS score of 9.1.<br>\nThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability.<br>\n",
    "url_title": "2023-049",
    "content_markdown": "--- \ntitle: 'Critical Vulnerability in\u00a0Cisco\u00a0SD-WAN\u00a0vManage' \nversion: '1.0'\nnumber: '2023-049'\noriginal_date: 'July 12, 2023'\ndate: 'July 17, 2023'\n---\n\n_History:_\n\n* _17/07/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn July 12, 2023, Cisco released an advisory to address a critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software. Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. The vulnerability could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. It is tracked as `CVE-2023-20214` and has a CVSS score of 9.1.\n\nThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability [1].\n\n# Technical Details\n\nThis vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI [1].\n\n## Detection\n\nConstituents may be able to detect attempts to access the REST API by examining the log file. The REST API log file is located at the following path in the vManage filesystem: `/var/log/nms/vmanage-server.log`. If the following line:\n\n```\nRequest Stored in Map is (/dataservice/client/server) for user (admin)\n```\n\nappears in the log, the REST API has received requests [1].\n\n# Affected Products\n\nAffected Cisco SD-WAN vManage Releases [1]:\n\n- 20.6.3.3\n- 20.6.4\n- 20.6.5\n- 20.7 \n- 20.8 \n- 20.9\n- 20.10\n- 20.11\n\n# Recommendations\n\nCERT-EU strongly recommends update the affected versions of the software.\n\n## Workarounds\n\nThere are no workarounds that address this vulnerability. However, to mitigate this vulnerability and significantly reduce the attack surface, network administrators should enable access control lists (ACLs) to limit access to the vManage instance [1].\n\n\n# References\n\n[1] <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/07/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 12, 2023, Cisco released an advisory to address a critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software. Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. The vulnerability could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. It is tracked as <code>CVE-2023-20214</code> and has a CVSS score of 9.1.</p><p>The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI [1].</p><h3 id=\"detection\">Detection</h3><p>Constituents may be able to detect attempts to access the REST API by examining the log file. The REST API log file is located at the following path in the vManage filesystem: <code>/var/log/nms/vmanage-server.log</code>. If the following line:</p><pre><code>Request Stored in Map is (/dataservice/client/server) for user (admin)\n</code></pre><p>appears in the log, the REST API has received requests [1].</p><h2 id=\"affected-products\">Affected Products</h2><p>Affected Cisco SD-WAN vManage Releases [1]:</p><ul><li>20.6.3.3</li><li>20.6.4</li><li>20.6.5</li><li>20.7 </li><li>20.8 </li><li>20.9</li><li>20.10</li><li>20.11</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends update the affected versions of the software.</p><h3 id=\"workarounds\">Workarounds</h3><p>There are no workarounds that address this vulnerability. However, to mitigate this vulnerability and significantly reduce the attack surface, network administrators should enable access control lists (ACLs) to limit access to the vManage instance [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA\">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}