Alert essentials:
Cisco warns system administrators to update Catalyst SD-WAN Manager to version 20.12 to avoid possible remote code execution by unauthorized threat actors.

Email Team

Detailed threat description:
During internal security testing, five vulnerabilities were discovered in Cisco Catalyst SD-WAN Manager. These vulnerabilities range in severity cvss scores from 5.3 to 9.8, with the most severe offering system access to a remote unauthenticated attacker.

The Catalyst SD-WAN Manager uses Security Assertion Markup language (SAML) in the application programming interfaces (APIs). In the most severe flaw, improper authentication checks in the SAML allow bad actors to send requests directly to the APIs. An authentication token will be created for application access if a hacker successfully exploits the flaw.

The remaining four flaws include an unauthorized configuration rollback, an information disclosure, an authorization bypass, and a denial-of-service vulnerability. None of these flaws have been reported as being actively exploited, yet these vulnerabilities are not dependent on one another. One flaw does not have to be exploited to exploit another; each can be independently weaponized. No workarounds are available; remediation by patching is the best action to remove these vulnerabilities from environments.

Impacts on healthcare organizations
Wide area networks (WANs) are utilized to provide information and resources to individuals over a large geographic area. The SD-WAN manager device by Cisco provides access to many applications that are in the cloud. Therefore, the compromise of these devices could create partial or complete inaccessibility to life-saving technology.

Affected Products / versions

  • These vulnerabilities affect all versions of Cisco Catalyst SD-WAN Manager prior to version 20.12

CVE

  • CVE-2023-20252
  • CVE-2023-20253
  • CVE-2023-20034
  • CVE-2023-20254
  • CVE-2023-20262

Recommendations

Engineering recommendations:

  • Confirm resources are available and upgrade Cisco Catalyst SD-WAN Manager to version 21.12 after testing
  • Remove or deny access to unnecessary and potentially vulnerable software
  • Use technical controls, such as application allow listing, to ensure that only authorized software can execute or be accessed

Leadership / program recommendations:

  • Consider using the Principle of Least Privilege on all systems and run all software as a non- privileged user

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References:

  1. https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-cisco-catalyst-sd-wan-manager-could- allow-for-unauthorized-access_2023-111
  2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan- vman-sc-LRLfu2z
  3. https://www.paloaltonetworks.com/cyberpedia/what-is-the-principle-of-least-privilege
  4. https://www.arubanetworks.com/faq/what-is-sd-wan/