Listen to this Post
The vulnerability exists in the API interface of Cisco Catalyst SD-WAN Manager. An authenticated remote attacker with read‑only credentials and API access can exploit improper file handling. The API endpoint fails to validate or sanitize file uploads properly. By crafting a malicious multipart request, the attacker can specify arbitrary destination paths. The vulnerable code does not restrict directory traversal sequences or absolute paths. This allows the uploaded file to be written outside intended upload directories. A successful overwrite targets critical system files, configuration files, or binaries. The attacker does not need write privileges beyond the API access. The flaw stems from insufficient checks on the filename parameter and file content. Once exploited, the attacker can replace legitimate files with malicious versions. This can lead to privilege escalation to `vmanage` user level. The overwritten files may include SSH keys, scripts, or authentication databases. The attack requires low complexity and no user interaction. The network‑based attack leverages the default API configuration. Cisco SD-WAN Manager versions from 17.2.4 up to 20.18.2 are affected. The CVSS vector reflects limited impact on confidentiality and integrity. No denial‑of‑service or remote code execution is directly achieved, but file overwrite enables further compromise.
Platform: Cisco SD‑WAN Manager
Version: 17.2.4 – 20.18.2
Vulnerability: Arbitrary file overwrite
Severity: Medium (5.4)
date: 2024‑04‑24
Prediction: Patch expected 2024‑05‑15
What Undercode Say:
Check vulnerable version vmanage_cli show version | grep -E "20.[0-9]+.[0-9]+" Simulate malicious upload (requires API token) curl -X POST https://target:8443/api/file/upload \ -H "X-XSRF-TOKEN: $TOKEN" \ -F "[email protected]" \ -F "path=../../../../opt/vmanage/data/startup.sh" Verify overwrite attempt via API curl -X GET https://target:8443/api/file/read?path=../../../../opt/vmanage/data/startup.sh
Exploit:
Authenticated attacker sends HTTP POST to `/api/file/upload` with `filename` parameter containing `../` sequences. No path sanitization allows writing to `/etc/passwd` or vmanage user scripts. Using valid read‑only credentials (e.g., `monitor` role) bypasses write permission checks.
Protection from this CVE:
Upgrade to fixed version (20.18.3 or later). Disable API access for read‑only users. Apply input validation on filename and use `realpath()` to restrict uploads to a dedicated directory. Deploy WAF rules blocking `../` in multipart parameters.
Impact:
Overwrite of system configuration or startup scripts leads to persistent compromise. Attacker gains `vmanage` privileges, potentially enabling SD‑WAN policy tampering, credential theft, and lateral movement to controllers or edge routers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

