Cisco Patches High-Severity Vulnerability in SD-WAN vManage

The patches for a high-severity vulnerability in the binding configuration of SD-WAN vManage software containers
has been announced by Cisco. The vulnerability tracked as CVE-2022-20696, the issue exists because of insufficient
protection mechanisms on messaging server container ports, allows an unauthenticated attacker to connect to an
affected system using these ports.

For the exploitation of this vulnerability, the attacker must be able to send network traffic to interfaces within the
VPN0 logical network. A successful exploitation could allow the attacker to view and inject messages into the
messaging service, which can cause configuration changes or cause the system to reload.

The vulnerability impacts IOS XE SD-WAN, SD-WAN vBond Orchestrator, and SD-WAN vSmart Controller software, SD-WAN vEdge cloud routers, and SD-WAN vEdge routers.

The tech giant also announced that some of its products are impacted by an NVIDIA Data Plane development kit vulnerability that was resolved in August, and which is tracked as CVE-2022-28199.

Impacted products include Cloud Services router 1000V series, and IOS, IOS XE (other than Catalyst 8000V Edge), and IOS XR software, and NX-OS software.

The issue, Cisco says, was resolved with the release of updates for Catalyst 8000V Edge software, Adaptive Security Virtual Appliance (ASAv), and Secure Firewall Threat Defense Virtual (formerly FTDv).

Tracked as CVE-2022-20923, the flaw exists because the password validation algorithm on these devices is improperly implemented, which could allow an unauthenticated attacker to bypass authentication controls by using crafted credentials.

Workarounds:

There is a workaround that addresses this vulnerability. Administrators can use access control lists (ACLs) to block
ports 4222, 6222, and 8222, which are used by Cisco SD-WAN vManage Software messaging services. ACLs can be
configured in the following way depending on deployment:
• Configure ACLs on Cisco IOS devices.
• Configure ACLs at the firewall that protects Cisco SD-WAN vManage Software.
• Cisco Cloud Controllers ACLs (Inbound Rules allowed list) are managed through the Self-Service Portal.
Customers will have to review their ACL configurations on the Self-Service Portal to ensure that they are
correct. This does not involve updating the controller version. By default, Cisco-hosted devices are protected
against the issue described in the advisory unless the customer has explicitly allowed access

Cisco recommends updating to SD-WAN vManage software releases 20.6.4 or 20.9.1, which include patches for this vulnerability.