• Home
  • |
  • Blog
  • |
  • How to Fix CVE-2022-20696- An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software
How to Fix CVE-2022-20696- An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software

The network appliances manufacturer giant Cisco published an advisory on 7th September 2022 (Updated on 09 September 2022) in which Cisco detailed an unauthenticated access vulnerability in Cisco SD-WAN vManage Software. The vulnerability tracked as CVE-2022-20696 is a High severity vulnerability with a CVSS score of 7.5 out of 10. The vulnerability is actually lice in the Cisco SD-WAN vManage Software that could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. Since this flaw allows the attacker to view and inject messages into the messaging service by connecting to the messaging service ports of the affected system, which can cause configuration changes or cause the system to reload, it is most important to fix the CVE-2022-20696 vulnerability. Let’s see how to fix CVE-2022-20696, an unauthenticated access vulnerability in Cisco SD-WAN vManage Software, in this post.

A Short Note on Cisco SD-WAN vManage Software

Cisco SD-WAN vManage software is a centralized management system that allows you to manage your Cisco SD-WAN network from a single pane of glass. It provides you with the ability to configure and monitor all aspects of your network, including routers, switches, and WAN Edge devices. vManage also gives you the ability to view end-to-end network performance and troubleshoot any issues that may arise. In addition, vManage provides granular control over traffic policies and routing decisions, allowing you to optimize your network for specific applications and workloads.

Summary of CVE-2022-20696

This is an Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software, a centralized management system that allows you to manage your Cisco SD-WAN network. The flaw is due to the lack of sufficient protection mechanisms in the messaging server container ports on an affected system. This vulnerability could allow attackers to view and inject messages into the messaging service by connecting to the messaging service ports of the affected system, which can cause configuration changes or cause the system to reload. 

Associated CVE IDCVE-2022-20696
DescriptionAn Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software
Associated ZDI ID
CVSS Score7.5 High
VectorCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Adjacent Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

“To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration.”


-Cisco

Cisco Products Vulnerable to CVE-2022-20696

Cisco advisory says that this Unauthenticated Access Vulnerability affects all Cisco devices if they are running a vulnerable version of Cisco SD-WAN vManage Software.

How to Fix CVE-2022-20696- An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software?

Since the vulnerability lice in the messaging server container ports in vulnerable versions of Cisco SD-WAN vManage Software, attackers could exploit the flaw on all Cisco devices running a vulnerable version of Cisco SD-WAN vManage Software by connecting to the messaging service ports of the affected system. As a workaround, network administrators are advised to block ports 4222, 6222, and 8222, ports used by Cisco SD-WAN vManage Software messaging services. In addition to this, the vendor asked admins to block these ports on perimeter security deployments like firewalls and Cloud Controllers.

Cisco has released security patches to fix the CVE-2022-20696 vulnerability. Please refer to this table to see the vulnerable versions of Cisco SD-WAN vManage Software Release with recommended fixes. We recommend upgrading to an appropriate fixed software release, as shown in the below table.

Cisco SD-WAN vManage Software ReleaseFirst Fixed Release
Earlier than 20.3Migrate to a fixed release.
20.3Migrate to a fixed release.
20.620.6.4
20.7Migrate to a fixed release.
20.8Migrate to a fixed release.
20.920.9.1

How to Upgrade the vManage Software in Cisco SD-WAN?

Follow this simple procedure to upgrade the Cisco SD-WAN vManage Software.

Source: SivakumarNetLabs

Time needed: 15 minutes.

How to Upgrade the vManage Software in Cisco SD-WAN?

  1. Browse Cisco Software Download Center.

    Cisco is serving a dedicated upgrade images for Cisco SD-WAN vManage Software on its Software Download Center: https://software.cisco.com/download/home/286320995/type

    Cisco Software Download Center

  2. Download the upgrade image from the Cisco Software Download Center.

    Click on ‘SD-WAN Software Update’ to and select the latest version available to download. In this case we have selected v20.3.1(ED). Download both the files if needed.Downloading the upgrade image from the Cisco Software Download Center

  3. Add the Upgrade image to the Cisco vManage Software.

    To upload the image to the Software Repository, Go to Maintenance -> Software Repository in the Cisco vManage console. Click the ‘Add new Software‘ dropdown and select ‘vManage‘ option.


    Browse the image and upload the downloaded upgrade image to the Software Repository.


    Note: Upload the vmanage-20.9.1-x86_64.tar.gz before uploading the viptela-20.9.1-x86_64.tar.gz.Adding the Upgrade image to the Cisco vManage Software

  4. Apply the upgrade image.

    To apply the image, again go to Maintenance -> Software Upgrade. You will see three options, WAN Edge, Controller, and vManage. Select the vManage option. Click on the ‘Upgrade‘ then choose the version from the dropdown then click on the ‘Upgrade’ button.


    The upgradation process will take few minutes to complete.

    Applying the upgrade image.

  5. Activate the upgrade package.

    The activation procedure is very simple and straight. Go to Maintenance -> Software Upgrade. Select the vManage option. Click on ‘Activate‘. then choose the version from the dropdown then click on the ‘Activate‘ button. SD-WAN appliance will reboot by itself as part of the activation process. That’s it. This is how you should upgrade the vManage Software on Cisco SD-WAN.

    Activating the upgrade package.

  6. Verify the vManage version on Cisco SD-WAN.

    Issue this command on CLI to see the version of vManage. Alternatively, you can go to Help -> About to see the version info on the GUI console.

    # sh soft

Cisco Software Checker Utility

Cisco has published Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases. We recommend to use this awesome tool from Cisco to ensure no advisories are skipped to action against the discovered known vulnerabilities.

For Example: if you want to check the advisories for Cisco Nexus 3000 Nexus Switch running 7.0 NX-OS. Select your Cisco Operating System, NX-OS Platform, NX-OS release versions from the dropdown. Click Continue button. Select the Advisory Impact Rating then click Continue button again. You will see a list of Security Advisories That Affect This Release.

Cisco Software Checker Utility

Cisco Switcher Not-Affected By CVE-2022-20696:

Cisco clearly says that these products are safe and not affected by the CVE-2022-20696 flaw. Administrators can ignore taking action on these products.

  • IOS XE SD-WAN Software
  • SD-WAN vBond Orchestrator Software
  • SD-WAN vEdge Cloud Routers
  • SD-WAN vEdge Routers
  • SD-WAN vSmart Controller Software

We hope this post will help you know how to fix CVE-2022-20696, an unauthenticated access vulnerability in Cisco SD-WAN vManage Software. Please share this post if you find this interested. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.