1. Introduction
Cisco SD-WAN vManage Command Injection (cisco-sa-20200122-sdwa…) is a high severity vulnerability affecting Cisco SD-WAN devices running versions prior to 18.3.0. This allows an authenticated remote attacker to execute arbitrary commands on the affected system, potentially compromising its confidentiality, integrity and availability. Systems running vulnerable versions of vManage are at risk.
2. Technical Explanation
The vulnerability stems from insufficient input validation within the WebUI of Cisco SD-WAN vManage. An attacker can inject commands by configuring a malicious username on the login page. This allows them to execute arbitrary commands with vmanage user privileges. The vulnerability is tracked as CVE-2019-12629.
- Root cause: Insufficient input validation of data parameters for certain fields in the WebUI.
- Exploit mechanism: An attacker configures a malicious username on the login page, triggering command execution with vmanage user privileges.
- Scope: Cisco SD-WAN versions prior to 18.3.0 are affected.
3. Detection and Assessment
- Quick checks: Access the vManage WebUI and check the software version in the system information section.
- Scanning: Nessus can detect this issue based on self-reported version numbers, but has not tested for it directly.
- Logs and evidence: Review vManage logs for suspicious activity related to username configuration or command execution attempts. Specific log files are not identified in the advisory.
4. Solution / Remediation Steps
The following steps detail how to fix this issue.
4.1 Preparation
- No services need to be stopped, but plan for potential downtime during the upgrade process. A roll back plan involves restoring from backup or reverting to the previous snapshot.
- A change window may be required depending on your organization’s policies. Approval from relevant stakeholders is recommended.
4.2 Implementation
- Step 1: Upgrade Cisco SD-WAN vManage to version 18.3.0 or later. Refer to the official Cisco documentation for upgrade instructions.
4.3 Config or Code Example
Before
After
4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.
- Practice 1: Input Validation – Implement strict input validation on all user-supplied data to prevent the injection of malicious commands or scripts.
- Practice 2: Least Privilege – Ensure that users have only the necessary permissions required for their tasks. This limits the potential damage from a compromised account.
4.5 Automation (Optional)
5. Verification / Validation
Confirming the fix involves verifying the upgraded version of vManage and performing basic functionality tests.
- Post-fix check: Access the vManage WebUI and confirm that the software version is 18.3.0 or later.
- Re-test: Repeat the initial vulnerability assessment to verify that the issue is no longer present.
- Smoke test: Verify basic functionality such as login, device monitoring, and configuration changes are working as expected.
- Monitoring: Monitor vManage logs for any unusual activity or errors related to command execution.
6. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update security baselines or policies to include a requirement for patching Cisco SD-WAN devices within a defined timeframe.
- Pipelines: Implement automated testing in CI/CD pipelines to identify and prevent vulnerable configurations from being deployed.
- Asset and patch process: Establish a regular patch management cycle for all network devices, including Cisco SD-WAN components.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Upgrade process may cause temporary service disruption. Mitigation involves careful planning and testing in a non-production environment.
- Roll back: Restore vManage from backup or revert to the previous snapshot if the upgrade fails or causes unexpected issues.
8. References and Resources
- Vendor advisory or bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-sdwan-cmd-inject
- NVD or CVE entry: CVE-2019-12629
- Product or platform documentation relevant to the fix: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi70009