Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). This vulnerability allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on the affected system. The issue arises from a malfunctioning peering authentication mechanism, which an attacker could exploit by sending crafted requests. Successful exploitation could enable the attacker to log in as a high-privileged, non-root user, access NETCONF, and manipulate network configurations for the SD-WAN fabric.

Impact

Exploitation of this vulnerability could lead to unauthorized authentication bypass, allowing attackers to gain administrative privileges on the affected system and manipulate network configurations via NETCONF.

Reproduction

To reproduce this vulnerability, an attacker can send crafted requests to a vulnerable Cisco Catalyst SD-WAN Controller or Manager system that is exposed to the internet. This can be done by targeting the system's control connection handshaking process, which is not properly validating peering authentication. Once the authentication bypass is achieved, the attacker can log in as a high-privileged, non-root user and access NETCONF to manipulate SD-WAN network configurations.

Remediation

Cisco has released software updates to address this vulnerability. Customers should upgrade to the fixed software release indicated in the Cisco Security Advisory. For additional information on the upgrade process, customers can consult the Cisco Catalyst SD-WAN Upgrade Matrix or contact the Cisco Technical Assistance Center (TAC).