Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability
CERT-MU Advisories AD-2023-02
Date of Issue: 24 July 2023
Severity Rating: High
Systems Affected:
- IOS XE
- IOS XE SD-WAN
- SD-WAN cEdge Routers
- SD-WAN vBond Orchestrator Software
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
- SD-WAN vSmart Controller Software
Description
Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. Use cases for the vManage API include the following:
- Monitoring device status
- Configuring a device, such as attaching a template to a device
- Querying and aggregating device statistics
Customers may be able to detect attempts to access the REST API by examining the log file. The REST API log file is located at the following path in the vManage filesystem: /var/log/nms/vmanage-server.log.
Administrators can use the CLI command show log, as in the following example, to view the content of the vmanage-server.log file:
vmanage# show log /var/log/nms/vmanage-server.log
If Request Stored in Map is (/dataservice/client/server) for user (admin) appears in the log, the REST API has received requests:
30-Jun-2023 15:17:03,888 UTC INFO [ST3_vmanage1] [AppServerLoginModule] (default task-202) |default| Localization: Locale value after setting for non-SAML User upon login: null
30-Jun-2023 15:17:03,930 UTC INFO [ST3_vmanage1] [UserUtils] (default task-202) |default| Request Stored in Map is (/dataservice/client/server) for user (admin)
30-Jun-2023 15:17:03,933 UTC INFO [ST3_vmanage1] [UserUtils] (default task-202) |default| localUserFile : /etc/viptela/aaa_auth_grp/admin, radiusUserFile : /etc/viptela/aaa_auth_grp/admin.external
30-Jun-2023 15:17:03,933 UTC INFO [ST3_vmanage1] [UserUtils] (default task-202) |default| localUserFile exists : false, isFile : false
However, customers must perform their own impact analysis based on the information in the log and any user accounts configured on the vManage. The preceding log output is an example only, for customer reference. User account requests that are seen in this log may vary depending on the configuration of the user accounts within customers’ vManage instance.
Solution
There are no workarounds that address this vulnerability. However, to mitigate this vulnerability and significantly reduce the attack surface, network administrators should enable access control lists (ACLs) to limit access to the vManage instance.
In cloud hosted deployments, access to vManage is limited by ACLs that contain permitted IP addresses. Network administrators should review and edit the permitted IP addresses in the ACLs. In on-premises deployments, vManage access can be limited in a similar way by using ACLs and configuring permitted IP addresses.
While this mitigation has been deployed and was proven successful in a test environment, users should determine the applicability and effectiveness in their own environment and under their own use conditions. Users should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Users should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
Ministry of Information Technology, Communication and Innovation
2nd Floor, Wing A,
Shri Atal Bihari Vajpayee Tower,
Cybercity Ebene.