Tuesday, May 5, 2020

Malicious Portal SilverPeak REST API access

Details about new security vulnerabilities in SD-WAN solution. There is no authentication between cloud SilverPeak’s Portal on the Internet and customers’  EdgeConnect devices. EdgeConnect doesn’t authenticate Portal. Portal can execute any command on EdgeConnect via REST API.



1. EdgeConnect SD-WAN solution doesn’t authenticate Portal: we were able to connect an EdgeConnect device to a Portal emulator and execute a command on the EdgeConnect. 
2. Portal has access to EdgeConnect’s REST API without any authentication. 
3. Any Websocket-based remote service proxied to 127.0.0.1:3000 will get unrestricted access to the REST API.

Affected version 

Silverpeak EdgeConnect 8.1.7

Details and exploit


Credits

Denis Kolegov, Mariya Nedyak, Anton Nikolaev from SD-WAN New Hop Team.

Enjoy

No comments:

Post a Comment