CVE-2023-20034: Cisco Security Advisory: Cisco Catalyst SD-WAN Manager Vulnerabilities

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other software vulnerabilities.

Details about the vulnerabilities are as follows:

CVE-2023-20252: Cisco Catalyst SD-WAN Manager Unauthorized Access Vulnerability

A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user.

This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs. A successful exploit could allow the attacker to generate an authorization token sufficient to access the application.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwh03202
CVE ID: CVE-2023-20252
Security Impact Rating (SIR): Critical
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20253: Cisco Catalyst SD-WAN Manager Unauthorized Configuration Rollback Vulnerability

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with read-only privileges to bypass authorization and roll back controller configurations, which could then be deployed to the downstream routers.

This vulnerability is due to improper access control enforcement on the Cisco Catalyst SD-WAN Manager CLI. An attacker with read-only access to the CLI could exploit this vulnerability by initiating a configuration rollback on the Cisco Catalyst SD-WAN Manager controller. A successful exploit could allow the attacker to roll back the configuration on an affected Cisco Catalyst SD-WAN Manager instance, which could then be deployed to the downstream routers.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvz62234
CVE ID: CVE-2023-20253
Security Impact Rating (SIR): High
CVSS Base Score: 8.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CVE-2023-20034: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability

A vulnerability in the access control implementation for Elasticsearch that is used in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to access the Elasticsearch database of an affected system with the privileges of the Elasticsearch user.

This vulnerability is due to improper access control on Cisco Catalyst SD-WAN Manager for the Elasticsearch service. An attacker could exploit this vulnerability by sending a crafted HTTP request to a reachable Cisco Catalyst SD-WAN Manager system. A successful exploit could allow the attacker to view the Elasticsearch database content as the Elasticsearch user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvw59643
CVE ID: CVE-2023-20034
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-20254: Cisco Catalyst SD-WAN Manager Authorization Bypass Vulnerability

A vulnerability in the session management system of the Cisco Catalyst SD-WAN Manager multi-tenant feature could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance. This vulnerability requires the multi-tenant feature to be enabled.

This vulnerability is due to insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwf55823, CSCwf68936
CVE ID: CVE-2023-20254
Security Impact Rating (SIR): High
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-20262: Cisco Catalyst SD-WAN Manager Denial of Service Vulnerability

A vulnerability in the SSH service of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition for SSH access only. This vulnerability does not prevent the system from continuing to function, and web UI access is not affected.

This vulnerability is due to insufficient resource management when an affected system is in an error condition. An attacker could exploit this vulnerability by sending malicious traffic to the affected system. A successful exploit could allow the attacker to cause the SSH process to crash and restart, resulting in a DoS condition for the SSH service.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwd46383
CVE ID: CVE-2023-20262
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

In the following table the first column lists Cisco Catalyst SD-WAN Manager releases and the subsequent columns indicate whether a release is affected by one or more of the vulnerabilities that are described in this advisory and the first fixed release for each vulnerability.

Release

CVE-2023-20252
Critical SIR

CVE-2023-20253
High SIR

CVE-2023-20034
High SIR

CVE-2023-20254
High SIR

CVE-2023-20262
Medium SIR

Earlier than 20.3

Not affected.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

20.3

Not affected.

Migrate to a fixed release.

20.3.4

Migrate to a fixed release.

20.3.7

20.4

Not affected.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

20.5

Not affected.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

Migrate to a fixed release.

20.6

Not affected.

20.6.2

20.6.1

20.6.3.4

Migrate to a fixed release.

20.7

Not affected.

20.7.1

20.7.1

Migrate to a fixed release.

Migrate to a fixed release.

20.8

Not affected.

20.8.1

Not affected.

Migrate to a fixed release.

Migrate to a fixed release.

20.9

20.9.3.41

20.9.1

Not affected.

20.9.3.2

20.9.3

20.10

Not affected.

20.10.1

Not affected.

20.10.1.2

Migrate to a fixed release.

20.11

Migrate to a fixed release.1

20.11.1

Not affected.

20.11.1.2

20.11.1

20.12

Not affected.

Not affected.

Not affected.

Not affected.

20.12.1

1. For CVE-2023-20252, only releases 20.9.3.2 and 20.11.1.2 are affected. Previous releases in the 20.9 and 20.11 trains are not affected.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.