CVE-2023-20223 – This vulnerability in Cisco DNA Center allows u... (How to Fix)

Q: What is the severity of CVE-2023-20223?

CVE-2023-20223 has a CVSS score of 8.6 (HIGH). This vulnerability in Cisco DNA Center allows unauthenticated remote attackers to read and modify data in an internal service repository due to insufficient API access controls. It affects Cisco DNA Center devices with vulnerable versions, potentially compromising sensitive network management data.

📋 TL;DR

This vulnerability in Cisco DNA Center allows unauthenticated remote attackers to read and modify data in an internal service repository due to insufficient API access controls. It affects Cisco DNA Center devices with vulnerable versions, potentially compromising sensitive network management data.

💻 Affected Systems

Products:

Cisco DNA Center

Versions: Versions prior to 2.3.7.6

Operating Systems: Cisco DNA Center OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable; no special setup is required for exploitation.

📦 What is this software?

Dna Center by Cisco

View all CVEs affecting Dna Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain unauthorized access to critical internal service data, leading to data theft, manipulation, or disruption of network management functions.

🟠

Likely Case

Attackers may exploit this to read or modify configuration data, potentially causing network instability or unauthorized changes.

🟢

If Mitigated

With proper patching and network segmentation, the risk is reduced to minimal, limiting exposure to trusted networks only.

🌐 Internet-Facing: HIGH, as the vulnerability is unauthenticated and remote, making internet-exposed devices prime targets.

🏢 Internal Only: MEDIUM, as internal attackers could still exploit it, but network controls may limit broader impact.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves sending crafted API requests, which is straightforward given the unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.7.6 or later

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ

Restart Required: Yes

Instructions:

1. Log into Cisco DNA Center. 2. Navigate to System > Software Updates. 3. Download and install version 2.3.7.6 or later. 4. Restart the device as prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Cisco DNA Center API endpoints to trusted internal networks only.

Use firewall rules to block external access to Cisco DNA Center ports (e.g., TCP 443).

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to the Cisco DNA Center device.
Monitor API logs for unusual or unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check the Cisco DNA Center version via the web interface or CLI; if it is below 2.3.7.6, it is vulnerable.

Check Version:

ssh admin@<dnac-ip> show version | grep 'Cisco DNA Center'

Verify Fix Applied:

After patching, confirm the version is 2.3.7.6 or higher and test API access controls.

📡 Detection & Monitoring

Log Indicators:

Unusual API requests from unauthenticated sources, spikes in access to internal service endpoints.

Network Indicators:

Traffic to Cisco DNA Center API endpoints from unexpected IP addresses.

SIEM Query:

source="Cisco DNA Center" AND (event_type="api_access" AND user="unauthenticated")

📊 Metadata

CVE ID: CVE-2023-20223

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-284

Published: September 27, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20223, you might also want to check these: