{"id":1744,"date":"2023-08-09T06:43:38","date_gmt":"2023-08-09T06:43:38","guid":{"rendered":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=1744"},"modified":"2023-08-09T07:02:32","modified_gmt":"2023-08-09T07:02:32","slug":"cisco-sd-wan-vmanage-unauthenticated-rest-api-access-vulnerability","status":"publish","type":"page","link":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=1744","title":{"rendered":"Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"1744\" class=\"elementor elementor-1744\" data-elementor-post-type=\"page\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-166eefda ct-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"166eefda\" data-element_type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-314d1d\" data-id=\"314d1d\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-514ff558 elementor-hidden-tablet elementor-hidden-phone\" data-id=\"514ff558\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4e3e8fb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4e3e8fb\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-93566b9\" data-id=\"93566b9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d08b013 elementor-widget elementor-widget-heading\" data-id=\"d08b013\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7d0347e elementor-widget elementor-widget-text-editor\" data-id=\"7d0347e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>CERT-MU Advisories AD-2023-02<\/strong><\/p><p><strong>Date of Issue:\u00a0<\/strong>24 July 2023<\/p><p><strong>Severity Rating:<\/strong>\u00a0High<\/p><p><strong>Systems Affected:<\/strong><\/p><ul><li>IOS XE<\/li><li>IOS XE SD-WAN<\/li><li>SD-WAN cEdge Routers<\/li><li>SD-WAN vBond Orchestrator Software<\/li><li>SD-WAN vEdge Cloud Routers<\/li><li>SD-WAN vEdge Routers<\/li><li>SD-WAN vSmart Controller Software<\/li><\/ul><p><strong>Description<\/strong><\/p><p>Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. Use cases for the vManage API include the following:<\/p><ul><li>Monitoring device status<\/li><li>Configuring a device, such as attaching a template to a device<\/li><li>Querying and aggregating device statistics<\/li><\/ul><p>Customers may be able to detect attempts to access the REST API by examining the log file. The REST API log file is located at the following path in the vManage filesystem: \/var\/log\/nms\/vmanage-server.log.<\/p><p>Administrators can use the CLI command\u00a0<strong>show log<\/strong>, as in the following example, to view the content of the vmanage-server.log file:<\/p><p>vmanage# show log \/var\/log\/nms\/vmanage-server.log<\/p><p>If\u00a0<strong>Request Stored in Map is (\/dataservice\/client\/server) for user (admin)<\/strong>\u00a0appears in the log, the REST API has received requests:<\/p><p>30-Jun-2023 15:17:03,888 UTC INFO\u00a0 [ST3_vmanage1] [AppServerLoginModule] (default task-202) |default| Localization: Locale value after setting for non-SAML User upon login: null<br \/>30-Jun-2023 15:17:03,930 UTC INFO\u00a0 [ST3_vmanage1] [UserUtils] (default task-202) |default|\u00a0<strong>Request Stored in Map is (\/dataservice\/client\/server) for user (admin)<\/strong><br \/>30-Jun-2023 15:17:03,933 UTC INFO\u00a0 [ST3_vmanage1] [UserUtils] (default task-202) |default| localUserFile : \/etc\/viptela\/aaa_auth_grp\/admin, radiusUserFile : \/etc\/viptela\/aaa_auth_grp\/admin.external<br \/>30-Jun-2023 15:17:03,933 UTC INFO\u00a0 [ST3_vmanage1] [UserUtils] (default task-202) |default| localUserFile exists : false, isFile : false<\/p><p>However, customers must perform their own impact analysis based on the information in the log and any user accounts configured on the vManage. The preceding log output is an example only, for customer reference. User account requests that are seen in this log may vary depending on the configuration of the user accounts within customers\u2019 vManage instance.<\/p><p><strong>Solution<\/strong><\/p><p>There are no workarounds that address this vulnerability. However, to mitigate this vulnerability and significantly reduce the attack surface, network administrators should enable access control lists (ACLs) to limit access to the vManage instance.<\/p><p>In cloud hosted deployments, access to vManage is limited by ACLs that contain permitted IP addresses. Network administrators should review and edit the permitted IP addresses in the ACLs. In on-premises deployments, vManage access can be limited in a similar way by using ACLs and configuring permitted IP addresses.<\/p><p>While this mitigation has been deployed and was proven successful in a test environment, users should determine the applicability and effectiveness in their own environment and under their own use conditions. Users should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Users should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.<\/p><p><strong>References<\/strong><br \/><a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-vmanage-unauthapi-sphCLYPA\">https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-vmanage-unauthapi-sphCLYPA<\/a><\/p><p><strong>Postal address<\/strong><br \/>Mauritian Computer Emergency Response Team (CERT-MU)<br \/>Ministry of Information Technology, Communication and Innovation<br \/>2<sup>nd<\/sup>\u00a0Floor, Wing A,<br \/>Shri Atal Bihari Vajpayee Tower,<br \/>Cybercity Ebene.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability CERT-MU Advisories AD-2023-02 Date of Issue:\u00a024 July 2023 Severity Rating:\u00a0High Systems Affected: IOS XE IOS XE SD-WAN SD-WAN cEdge Routers SD-WAN vBond Orchestrator Software SD-WAN vEdge Cloud Routers SD-WAN vEdge Routers SD-WAN vSmart Controller Software Description Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring the Cisco devices in an overlay network. Use cases for the vManage API include the following: Monitoring device status Configuring a device, such as attaching a template to a device Querying and aggregating device statistics Customers may be able to detect attempts to\u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1744","page","type-page","status-publish","hentry"],"blocksy_meta":{"page_title_panel":"","has_hero_section":"disabled","bc159c5af2a03de5c75561ba297140d8":"","hero_section":"type-1","hero_elements":[{"id":"custom_title","enabled":true,"heading_tag":"h1","title":"Home"},{"id":"custom_description","enabled":true,"description_visibility":{"desktop":true,"tablet":true,"mobile":false}},{"id":"custom_meta","enabled":false,"meta_elements":[{"id":"author","enabled":true,"label":"By","has_author_avatar":"yes","avatar_size":25},{"id":"post_date","enabled":true,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"comments","enabled":true}],"page_meta_elements":{"joined":true,"articles_count":true,"comments":true}},{"id":"breadcrumbs","enabled":false}],"df3eb590217e0ce26e832da2c07e7ca6":"","hero_alignment1":"left","hero_alignment2":"center","hero_vertical_alignment":"center","19d24a625abe62e6d16b259439e9cba0":"","hero_structure":"narrow","a3dd00aea12a8c52bdc0775015a386ce":"","page_title_bg_type":"featured_image","custom_hero_background":{"attachment_id":null},"parallax":{"desktop":false,"tablet":false,"mobile":false},"007fc1b0d7d7ea0d9823538a36652bf9":"","hero_height":"250px","pageTitleFont":{"family":"Default","variation":"Default","size":{"desktop":"32px","tablet":"30px","mobile":"25px"},"line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"CT_CSS_SKIP_RULE","text-decoration":"CT_CSS_SKIP_RULE"},"pageTitleFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageMetaFont":{"family":"Default","variation":"n6","size":"12px","line-height":"1.3","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"uppercase","text-decoration":"CT_CSS_SKIP_RULE"},"pageMetaFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"hover":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageExcerptFont":{"family":"Default","variation":"Default","size":"CT_CSS_SKIP_RULE","line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"CT_CSS_SKIP_RULE","text-decoration":"CT_CSS_SKIP_RULE"},"pageExcerptColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"breadcrumbsFont":{"family":"Default","variation":"n6","size":"12px","line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"uppercase","text-decoration":"CT_CSS_SKIP_RULE"},"breadcrumbsFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"initial":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"hover":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageTitleOverlay":{"default":{"color":"rgba(41, 51, 60, 0.2)"}},"pageTitleBackground":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"#EDEFF2"}}},"806cf646dc975203c3ef573b498d2a6c":"","page_structure_type":"default","content_style":"inherit","vertical_spacing_source":"custom","content_area_spacing":"none","background":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"CT_CSS_SKIP_RULE"}}},"content_background":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"#ffffff"}}},"content_boxed_spacing":{"desktop":"40px","tablet":"35px","mobile":"20px"},"content_boxed_radius":{"top":"3px","bottom":"3px","left":"3px","right":"3px","linked":true},"content_boxed_shadow":{"blur":18,"spread":-6,"v_offset":12,"h_offset":0,"inset":false,"enable":true,"color":{"color":"rgba(34, 56, 101, 0.04)"}},"19c6ff9349ac0932d7247f0e755658ea":"","disable_featured_image":"no","disable_header":"no","disable_footer":"no","styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"_links":{"self":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1744"}],"version-history":[{"count":4,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1744\/revisions"}],"predecessor-version":[{"id":1778,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1744\/revisions\/1778"}],"wp:attachment":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}