Cisco has discovered a critical vulnerability in SD-WAN vManage. We urge all individuals responsible for managing such a network to carefully read this information and take immediate action.
What is this vulnerability?
The vulnerability is present in the REST API component of the vManage software. What makes it particularly concerning is that a malicious actor can exploit this vulnerability without needing a valid user login and can do so through remote access.
This vulnerability affects Cisco Catalyst SD-WAN (formerly known as Viptela) but does not impact Cisco Meraki SD-WAN. If exploited, the vulnerability allows the attacker to read and write information to the REST API. Permission to write is limited, according to Cisco. The vulnerability only affects the REST API, not the web/CLI interface.
How to addresses this vulnerability in SD-WAN vManage:
As an end user of the SD-WAN platform, NIL recommends the following steps for you:
Check if your vManage version is affected.
Verify that the access lists controlling access to vManage are reasonable and sufficiently restrictive. 1
Consider evaluating whether upgrading to a newer version is necessary.
Please refer to this article from Cisco for more detailed information about Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability, including the list of affected versions. The article also provides information on how to determine if any API calls have been made. However, it is important to note that this does not guarantee the identification of calls that have specifically exploited the vulnerability.
If you require consulting assistance to evaluate, prepare, and upgrade your SD-WAN environment, or if you have any other inquiries from the list above, please don’t hesitate to contact NIL.
Note 1: Having IP-based access that multiple employees can reach is not recommended.