cisco-sa-sdwan-rpa-EHchtZk · Critical · Published · Updated
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
There are no workarounds that address this vulnerability. However, as a mitigation, customers may use the following guidance to temporarily mitigate the impact of this vulnerability while they are planning to upgrade to a first fixed release.
Action Owner On-Prem Deployment Customer Follow the guidelines in the Firewall Ports for Cisco Catalyst SD-WAN Deployments https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml section of the Cisco Catalyst SD-WAN Getting Started Guide.
Customers who host their own Cisco Catalyst SD-WAN deployment in their own data centers must secure intra-controller connectivity. Cisco recommends adding the access control lists (ACLs), security group rules, and/or firewall rules to restrict the traffic to port 22 and port 830 to allow only known controller IPs and other known IPs. Customers also must configure their mitigation ACLs to allow IP traffic from only specified hosts or devices that require access to the Cisco Catalyst SD-WAN Control Components. Action Owner Cisco Hosted SD-WAN Cloud Customer These guardrails are in place for Cisco Hosted SD-WAN Cloud. Action Owner Cisco Hosted SD-WAN Cloud - FedRAMP Environment Customer These guardrails are in place for Cisco Hosted SD-WAN Cloud - FedRAMP Environment. Action Owner Cisco Hosted SD-WAN Cloud - Cisco Managed Customer and Cisco These guardrails are in place for Cisco Hosted SD-WAN Cloud - Cisco Managed.
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.