Cisco has released updates to address a critical vulnerability in its SD-WAN vManage software. The US cyber security authority, CISA, has warned that attackers can exploit this vulnerability to gain complete control over affected systems. The vulnerability lies in the authentication process of requests to the REST API of Cisco’s SD-WAN vManage. It allows unauthenticated attackers from the network to have read rights or restricted write access to the configuration of affected instances.
It is worth noting that the web-based administration interface and command lines are not affected by this vulnerability. Only the REST API is vulnerable. Unfortunately, there is no workaround for this issue as the API is active by default and cannot be deactivated. IT managers can check the log files for attempts to access the REST API. However, they must determine whether the requests are legitimate as the presence of access alone does not indicate misuse of the vulnerability. The relevant log can be viewed using the command “show log /var/log/nms/vmanage-server.log”. Entries of the type “Request Stored in Map is (/dataservice/client/server) for user (admin)” indicate REST API access according to Cisco.
To mitigate the risk, Cisco recommends using Access Control Lists (ACL) to control access in the vManage instances. However, it is best for administrators to install the updated software. The vulnerability affects Cisco’s SD-WAN vManage from version 2.6.3.3 up to and including 20.11. The security leak is sealed in versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. For those still using vManage 20.7 or 20.8, it is recommended to migrate to one of the mentioned releases with the fix.
In addition to this vulnerability, a separate vulnerability in Cisco’s Nexus 9000 devices has been discovered. This vulnerability allows attackers to read and modify encrypted traffic. Unfortunately, there is currently no update or workaround available for this issue.
Overall, it is crucial for organizations using Cisco’s SD-WAN vManage software to update to the latest version to address the critical vulnerability. It is also important to monitor access attempts to the REST API and employ Access Control Lists to control access in order to mitigate the risk.
