Cisco patches Catalyst SD-WAN vulnerabilities

Cisco has patched vulnerabilities in several versions of its Catalyst SD-WAN software.

The company said the vulnerabilities affect SD-WAN APIs, the command line interface (CLI) and an Elasticsearch implementation. They also introduce authentication and denial-of-service issues.

The most serious of the bugs is CVE-2023-20252, an unauthorised access vulnerability in Catalyst SD-WAN’s security assertion markup language (SAML) APIs. It has a CVSS score of 9.8.

“This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML APIs,” the advisory stated.

This would give the attacker access to the application as an arbitrary user. There are no workarounds, so users will have to patch.

CVE-2023-20253, with a CVSS of 8.4, is a bug in SD-WAN’s command line interface (CLI) that allows an attacker to bypass a unit’s authentication and roll back a controller’s configurations, “which could then be deployed to the downstream routers.”

CVE-2023-20034 (CVSS 7.5) is described as “a vulnerability in the access control implementation for Elasticsearch that is used in Cisco Catalyst SD-WAN Manager”.

An unauthenticated remote attacker can access the Elasticsearch database of an affected system via a crafted HTTP request. This would let the attacker view the contents of the Elasticsearch database.

CVE-2023-20254 (CVSS 7.2) is a session management vulnerability that “could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance”.

“A successful exploit could allow the attacker to access information about another tenant, make configuration changes, or possibly take a tenant offline and cause a DoS condition,” the advisory stated.

Finally, with a CVSS of 5.3, CVE-2023-20262 allows an unauthenticated remote attacker to crash the SSH process.

The bugs affect various versions of the Catalyst SD-WAN software in the Version 20.n branch, with patches available for all affected products.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts