1. Introduction
The Cisco SD-WAN Solution vManage is affected by a Stored Cross-Site Scripting (XSS) vulnerability, referenced as cisco-sa-20200318-vmanage-xss. This allows an authenticated attacker to inject malicious script code into the web management interface, potentially compromising user data or system settings. Systems running vulnerable versions of Cisco SD-WAN Solution vManage are at risk. A successful exploit could allow an attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. This poses a medium risk to confidentiality, integrity and availability.
2. Technical Explanation
The vulnerability stems from insufficient validation of user-supplied input within the Cisco SD-WAN vManage web UI. An attacker can exploit this by persuading a user to click a crafted link containing malicious script code. This code is then stored and executed when other users access the affected part of the interface, leading to XSS. The vulnerability is tracked as CVE-2019-16010.
- Root cause: Insufficient validation of user input in the web UI allows storage of malicious script code.
- Exploit mechanism: An attacker crafts a link containing JavaScript code and persuades an authenticated user to click it. The code is then executed within the context of the victim’s browser session when they access the vManage interface.
- Scope: Cisco SD-WAN Solution vManage software.
3. Detection and Assessment
Confirming vulnerability requires checking the installed version of Cisco SD-WAN Solution vManage. Nessus relies on self-reported version numbers for this issue.
- Quick checks: Access the vManage web interface and check the software version in the footer or “About” section.
- Scanning: Nessus can detect this vulnerability based on the reported version number of Cisco SD-WAN Solution vManage.
- Logs and evidence: Review vManage logs for suspicious URL parameters or input data, but direct evidence may be limited without specific logging configuration.
4. Solution / Remediation Steps
Apply the security patch or upgrade Cisco SD-WAN Solution vManage to a fixed version.
4.1 Preparation
- No services need to be stopped, but plan for potential downtime during the upgrade process. A roll back plan involves restoring from the backup or snapshot.
- A change window may be required depending on your organization’s policies. Approval from relevant stakeholders is recommended.
4.2 Implementation
- Step 1: Download the appropriate patch file for your Cisco SD-WAN Solution vManage version from the Cisco Software Download Center.
- Step 2: Install the patch using the standard patching procedure for Cisco SD-WAN Solution vManage as documented by Cisco.
- Step 3: Verify that the patch has been applied successfully and that the vManage service is functioning correctly.
4.3 Config or Code Example
Before
After
4.4 Security Practices Relevant to This Vulnerability
Several security practices can help mitigate the risk of XSS vulnerabilities.
- Practice 1: Input validation – Always validate user-supplied input on both the client and server sides to prevent malicious code from being injected.
- Practice 2: Least privilege – Limit user access rights to only those necessary for their job function, reducing the potential impact of a successful XSS attack.
4.5 Automation (Optional)
Automation is not directly applicable for this vulnerability as it requires patching or upgrading software.
5. Verification / Validation
Confirm the fix by verifying the updated version of Cisco SD-WAN Solution vManage and attempting to exploit the vulnerability with a test payload (in a non-production environment).
- Post-fix check: Access the vManage web interface and confirm that the software version has been updated.
- Re-test: Attempt to inject a simple XSS payload into the vManage interface and verify that it is not executed.
- Smoke test: Verify core functionality of the vManage interface, such as device monitoring and configuration management.
- Monitoring: Monitor vManage logs for any suspicious activity or error messages related to input validation.
6. Preventive Measures and Monitoring
Regular patching and security awareness training are key preventive measures.
- Baselines: Ensure that your security baseline includes regular updates for all software, including Cisco SD-WAN Solution vManage.
- Pipelines: Implement a robust patch management process to ensure timely application of security updates.
- Asset and patch process: Establish a regular schedule for reviewing and applying security patches, based on the severity of the vulnerability.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Patch installation could temporarily disrupt vManage service availability.
- Risk or side effect 2: In rare cases, a patch may introduce compatibility issues with other components.
8. References and Resources
Links to official advisories and documentation.
- Vendor advisory or bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200318-vmanage-xss
- NVD or CVE entry: CVE-2019-16010
- Product or platform documentation relevant to the fix: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs09263