WebGoat.SDWAN.Net in Depth

SD-WAN New Hop talk by Denis Kolegov, Oleg Broslavsky as presented at Power of Community 2018 conference, Seoul, Korea. [1] [2]

In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.

Citrix NetScaler SD-WAN vulnerabilities details

On CTX236992, mode details and exploitation vectors by Sergey Gordeychik, Denis Kolegov, Nikita Oleksov, Nikolay Tkachenko, Oleg Broslavsky

Unauthenticated Access to Munin Service
Incorrect Access Controls
Cross-Site Request Forgery
Use of CakePHP Component with Known Vulnerabilities
Cross-Site Scripting(s)
Path Traversal(s)
SQL Injection(s)
Slow HTTP DoS Attacks
Session ID Leakage
Sudo Misconfiguration
OS Command Injection(s)

SD-WAN Infiltrator

SD-WAN Infiltrator is an NSE script to automatically discover SD-WAN nodes in a local network. It uses SD-WAN Census Database.
Useful for pentest/internal network assessment.
Special release for CodeBlue Security Conference, Tokyo, Japan.

Vulnerabilities in SD-WAN: Client side

Few minor incidental bugs in  Riverbed SteelConnect and Viprinet VPN Hub Router: XSS, password reset abuse.


https://github.com/sdnewhop/sdwannewhope/blob/master/Riverbed%20SteelConnect%20Vulnerabilities.pdf

https://github.com/sdnewhop/sdwannewhope/blob/master/Viprinet%20Stored%20XSS.pdf

Enjoy 

Citrix NetScaler SD-WAN bugs/fixes

Multiple vulnerabilities have been identified in the management interface of Citrix NetScaler SD-WAN physical appliances and virtual appliances. Collectively these vulnerabilities could allow an unauthenticated attacker with access to the management interface to compromise the host.

s7scan to replace plcscan

s7scan by Danila Parnishchev is a tool that scans networks, enumerates Siemens PLCs and gathers basic information about them, such as PLC firmware and hardware version, network configuration and security parameters such as:

SD-WAN Harvester v 0.99

SD-WAN Harvester tool was created by Anton Nikolaev and Denis Kolegov  to automatically enumerate and fingerprint SD-WAN nodes on the Internet. It uses Shodan search engine for discovering, NMAP NSE scripts for fingerprinting, and masscan to implement some specific checks.