1. Introduction
Cisco SD-WAN Solution vManage is vulnerable to a SQL injection attack (CVE-2019-16012). This allows an authenticated, remote attacker to modify data in the underlying database and potentially compromise the operating system. Systems running affected versions of Cisco SD-WAN Solution vManage are at risk. A successful exploit could lead to loss of confidentiality, integrity, and availability of the database and associated systems.
2. Technical Explanation
- Root cause: The web UI does not adequately validate user input when constructing SQL queries.
- Exploit mechanism: An attacker authenticates to the vManage application and submits crafted HTTP requests containing malicious SQL code in parameters that are used in database queries.
- Scope: Cisco SD-WAN Solution vManage software is affected.
3. Detection and Assessment
You can check if your system is vulnerable by verifying the version of Cisco SD-WAN Solution vManage installed. Nessus relies on self-reported version numbers for this issue.
- Quick checks: Check the application’s web UI to determine the installed version number.
- Scanning: Nessus can detect this vulnerability based on the reported version number.
- Logs and evidence: Review vManage logs for suspicious SQL queries or error messages related to database interactions.
4. Solution / Remediation Steps
Apply the security patch provided by Cisco as referenced in cisco-sa-20200318-vmanage-cypher-inject to address this vulnerability.
4.1 Preparation
- Consider a maintenance window for the update process. A roll back plan involves restoring from the backup if issues occur.
4.2 Implementation
- Step 1: Download the appropriate patch file from Cisco’s website (refer to cisco-sa-20200318-vmanage-cypher-inject).
- Step 2: Install the downloaded patch following Cisco’s documented procedures for your vManage version.
4.3 Config or Code Example
Before
After
4.4 Security Practices Relevant to This Vulnerability
4.5 Automation (Optional)
5. Verification / Validation
Confirm the fix by verifying the updated version number and attempting to inject a simple SQL query through the web UI. A smoke test should include logging in and checking basic functionality.
- Post-fix check: Verify that the vManage application now displays the patched version number.
- Re-test: Re-run the initial vulnerability assessment (e.g., Nessus scan) to confirm the issue is no longer detected.
- Smoke test: Log in to the vManage web UI and verify basic functionality, such as device monitoring and configuration management.
6. Preventive Measures and Monitoring
Regularly update your Cisco SD-WAN Solution vManage software to the latest version. Implement input validation practices in all web applications.
- Baselines: Update security baselines to include regular patching of Cisco devices.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Patch installation may require a reboot of the vManage system, causing temporary downtime.
8. References and Resources
- Vendor advisory or bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200318-vmanage-cypher-inject
- NVD or CVE entry: /cve/CVE-2019-16012