Moderate
VMSA-2023-0015
5.3
2023-07-06
2023-07-06 (Initial Advisory)
CVE-2023-20899
VMware SD-WAN update addresses a bypass authentication vulnerability (CVE-2023-20899)
1. Impacted Products
VMware SD-WAN (Edge)
2. Introduction
An Authentication Bypass Vulnerability affecting VMware SD-WAN was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
3. VMware SD-WAN Bypass Authentication Vulnerability (CVE-2023-20899)
Description
VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.
Resolution
To remediate CVE-2023-20899 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None
Additional Documentation
None
Notes
This vulnerability affects Edge devices only and not the SD-WAN management console (VCO)
Acknowledgements
VMware would like to thank Marco Bruinenberg of Accenture for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
|
VMware SD-WAN (Edge)
|
5.2
|
Any
|
CVE-2023-20899
|
N/A
|
N/A
|
Unaffected
|
None
|
None
|
|
VMware SD-WAN (Edge)
|
5.1.x
|
Any
|
CVE-2023-20899
|
N/A
|
N/A
|
Unaffected
|
None
|
None
|
|
VMware SD-WAN (Edge)
|
5.0.x
|
Any
|
CVE-2023-20899
|
moderate
|
None
|
None
|
||
|
VMware SD-WAN (Edge)
|
4.5.x
|
Any
|
CVE-2023-20899
|
moderate
|
None
|
None
|
4. References
Fixed Version(s) and Release Notes:
VMware SD-WAN 5.1 Release Notes: https://docs.vmware.com/en/VMware-SASE/5.1.0/rn/vmware-sase-510-release-notes/index.html
VMware SD-WAN 4.5.2 Release Notes: https://docs.vmware.com/en/VMware-SASE/4.5.2/rn/vmware-sase-452-release-notes/index.html
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/info/slug/networking_security/vmware_sd_wan/5_1_0
https://customerconnect.vmware.com/en/downloads/info/slug/networking_security/vmware_sd_wan/4_5_2
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20899
FIRST CVSSv3 Calculator:
CVE-2023-20899: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2023-07-06 VMSA-2023-0015
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2023 VMware Inc. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.