Can a script kiddie pwn your SD-WAN? Better check the config, friend

Unpatched, outdated software abounds, say researchers

Russian researchers armed with Shodan and Censys have identified nearly 5,000 SD-WANs with vulnerable management interfaces.

It won't surprise anyone, The Register suspects, that most of the problems the three researchers (Denis Kolegov and Antony Nikolaev of Tomsk State University, and DarkMatter's Sergey Gordeychik) discovered are down to "outdated software and insecure configuration".

In this paper at arXiv, they explained how their active and passive fingerprinting showed that vendors or users failing to update their SD-WAN applications and (usually) Linux operating systems made SD-WANs "low-hanging fruit even for a script kiddie".

Among the vendors whose systems they found accessible from the internet were all big, familiar names – Cisco, VMware, Citrix, SilverPeak, Huawei, Arista – along with another nine smaller outfits.

The researchers confined themselves to the management interface only, not touching any data plane interface (for one thing, messing around with the SD-WANs' internals would create a juicy legal jeopardy).

"In general, the accessibility of management interface on the internet indicates the presence of CWE-749 weakness 'Exposed Dangerous Method or Function'," the paper stated.

After querying the target systems they found on Shodan and Censys (and cleaning up the results), it was straightforward to identify vendors and versions, because whether the systems used SSH, HTML, JSON, JavaScript or SNMP, they responded to contact with information like "viptela 17.2.4" (from Cisco).

Having compiled information like "operating system version, web server version, API methods, etc", the researchers could trawl vulnerability disclosures to see what should have been patched, but wasn't – and that's how they concluded that "most" were vulnerable. "Moreover, virtual appliances provided by SD-WAN vendors using cloud services (e.g. AWS Marketplace) are outdated as well," they added.

The researchers have posted their tools, NMAP scripts, Shodan queries and Censys queries at GitHub, here. ®




Biting the hand that feeds IT © 1998–2019