Cisco Catalyst SD-WAN Manager Vulnerabilities [CVE-2023-20034, CVE-2023-20252, CVE-2023-20253, CVE-2023-20254, CVE-2023-20262]

CVE numbers – CVE-2023-20034 and CVE-2023-20252 and CVE-2023-20253 and CVE-2023-20254 and CVE-2023-20262

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an attacker to access an affected instance or cause a denial of service (DoS) condition on an affected system.

The full advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z

CVE-2023-20252: Cisco Catalyst SD-WAN Manager Unauthorized Access Vulnerability

A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user.

This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. A successful exploit could allow the attacker to generate an authorization token sufficient to access the application.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwh03202
CVE ID: CVE-2023-20252
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20253: Cisco Catalyst SD-WAN Manager Unauthorized Configuration Rollback Vulnerability

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with read-only privileges to bypass authorization and roll back controller configurations, which could then be deployed to the downstream routers.

This vulnerability is due to improper access control enforcement on the Cisco Catalyst SD-WAN Manager CLI. An attacker with read-only access to the CLI could exploit this vulnerability by initiating a configuration rollback on the Cisco Catalyst SD-WAN Manager controller. A successful exploit could allow the attacker to roll back the configuration on an affected Cisco Catalyst SD-WAN Manager instance, which could then be deployed to the downstream routers.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvz62234
CVE ID: CVE-2023-20253
Security Impact Rating (SIR): High
CVSS Base Score: 8.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CVE-2023-20034: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability

A vulnerability in the access control implementation for Elasticsearch that is used in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to access the Elasticsearch database of an affected system with the privileges of the Elasticsearch user.

This vulnerability is due to improper access control on Cisco Catalyst SD-WAN Manager for the Elasticsearch service. An attacker could exploit this vulnerability by sending a crafted HTTP request to a reachable Cisco Catalyst SD-WAN Manager system. A successful exploit could allow the attacker to view the Elasticsearch database content as the Elasticsearch user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvw59643
CVE ID: CVE-2023-20034
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-20254: Cisco Catalyst SD-WAN Manager Authorization Bypass Vulnerability

A vulnerability in the session management system of the Cisco Catalyst SD-WAN Manager multi-tenant feature could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance. This vulnerability requires the multi-tenant feature to be enabled.

This vulnerability is due to insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwf55823, CSCwf68936
CVE ID: CVE-2023-20254
Security Impact Rating (SIR): High
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20262: Cisco Catalyst SD-WAN Manager Denial of Service Vulnerability

A vulnerability in the SSH service of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition for SSH access only. This vulnerability does not prevent the system from continuing to function, and web UI access is not affected.

This vulnerability is due to insufficient resource management when an affected system is in an error condition. An attacker could exploit this vulnerability by sending malicious traffic to the affected system. A successful exploit could allow the attacker to cause the SSH process to crash and restart, resulting in a DoS condition for the SSH service.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwd46383
CVE ID: CVE-2023-20262
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L