Hand-Picked Top-Read Stories

Policy data may be lost when a CVAD site is upgraded from a previous version to 2402

8 views

Citrix VDA lose Registration after Cloud Connector Restart

9 views

Understanding Write Cache in Provisioning Services Server

26 views

Trending Tags

VMware Virtualisation

356 views

2 minute read

VMSA-2023-0015

7 July 2023

Moderate

Advisory ID:
VMSA-2023-0015

CVSSv3 Range:
5.3

Issue Date:
2023-07-06

Updated On:
2023-07-06 (Initial Advisory)

CVE(s):
CVE-2023-20899

Synopsis:
VMware SD-WAN update addresses a bypass authentication vulnerability (CVE-2023-20899)

1. Impacted Products

VMware SD-WAN (Edge)

2. Introduction

An Authentication Bypass Vulnerability affecting VMware SD-WAN was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3. VMware SD-WAN Bypass Authentication Vulnerability (CVE-2023-20899)

Description

VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.

Resolution

To remediate CVE-2023-20899 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds

None

Additional Documentation

None

Notes

This vulnerability affects Edge devices only and not the SD-WAN management console (VCO)

Acknowledgements

VMware would like to thank Marco Bruinenberg of Accenture for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware SD-WAN (Edge)	5.2	Any	CVE-2023-20899	N/A	N/A	Unaffected	None	None
VMware SD-WAN (Edge)	5.1.x	Any	CVE-2023-20899	N/A	N/A	Unaffected	None	None
VMware SD-WAN (Edge)	5.0.x	Any	CVE-2023-20899	5.3	moderate	5.1	None	None
VMware SD-WAN (Edge)	4.5.x	Any	CVE-2023-20899	5.3	moderate	4.5.2	None	None

4. References

Fixed Version(s) and Release Notes:

VMware SD-WAN 5.1 Release Notes: https://docs.vmware.com/en/VMware-SASE/5.1.0/rn/vmware-sase-510-release-notes/index.html

VMware SD-WAN 4.5.2 Release Notes: https://docs.vmware.com/en/VMware-SASE/4.5.2/rn/vmware-sase-452-release-notes/index.html

Downloads and Documentation:

https://customerconnect.vmware.com/en/downloads/info/slug/networking_security/vmware_sd_wan/5_1_0

https://customerconnect.vmware.com/en/downloads/info/slug/networking_security/vmware_sd_wan/4_5_2

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20899

FIRST CVSSv3 Calculator:

CVE-2023-20899: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5. Change Log

2023-07-06 VMSA-2023-0015

Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Previous Post

Citrix

Activate a ShareFile employee/client user from “Forgot Password” without re-sending welcome email

6 July 2023

Next Post

Citrix

Virtual Desktop:Remote PC physical console black screen

7 July 2023