Cisco is warning of five new Catalyst SD-WAN Manager product vulnerabilities. The most critical vulnerability allows unauthorized remote access to the server. Multiple vulnerabilities were discovered in SD-WAN Manager that allows an attacker to access the compromised instance or cause a denial of service (DoS) condition on an affected system. Barracuda MSP recommends reviewing this Cybersecurity Threat Advisory in detail and following the recommendations below.
What is the threat?
The five vulnerabilities affecting Cisco Catalyst SD-WAN Manager are as follows:
- CVE-2023-20252: A vulnerability that allows unauthenticated remote access to an application as an arbitrary user.
- CVE-2023-20253: Allows authenticated local “read-only” privilege access, bypassing authorization and roll back controller configurations.
- CVE-2023-20034: A vulnerability in the access control implementation for Elasticsearch that could permit unauthenticated, remote access to the Elasticsearch database of an affected system with the privileges of an authenticated Elasticsearch user.
- CVE-2023-20254: SD-WAN Manager’s multi-tenant feature vulnerability which allows authenticated remote access to another tenant that is being managed by the same SD-WAN Manager instance.
- CVE-2023-20262: A vulnerability in the SSH service which allows for unauthenticated remote access for attackers to cause process crash, resulting in a DoS condition for SSH access only.
Why is it noteworthy?
The most severe flaw is CVE-2023-20252. A successful attack can lead to unauthorized access to the application as an arbitrary user. The flaw can be leveraged by sending crafted requests directly to the Security Assertion Markup Language (SAML) APIs, which will generate arbitrary authorization tokens allowing unconditional access to the application. Exploitation of this vulnerability has the potential for user exploitation, unauthorized data access/modification/deletion, and service disruption.
What is the exposure or risk?
These five flaws impact various versions of Cisco Catalyst SD-WAN Manager, with CVE-2023-20252 impacting releases 184.108.40.206 and 220.127.116.11 but does not affect older releases in the 20.9 and 20.11 branches. It is also worth noting that CVE-2023-20034 is also remotely exploitable without requiring authentication. However, its severity is mitigated by the fact that access is limited to the Elasticsearch database with the privileges of the Elasticsearch user.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of the Cisco Catalyst vulnerabilities:
- Immediately apply the latest patches and updates provided by Cisco to address these vulnerabilities.
- Review and strengthen access controls and authentication mechanisms. Ensure that only authorized personnel have access to critical systems and functions.
- Ensure that the devices to be upgraded contain sufficient memory. Also confirm that current hardware and software configurations will continue to be supported by the new release.
For more in-depth information about the recommendations, please visit the following links:
- Cisco Catalyst SD-WAN Manager Vulnerabilities
- Cisco Catalyst SD-WAN Manager flaw allows remote server access (bleepingcomputer.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.