GradeZero Music Band

Tuesday, June 2, 2020

A practical guide to SD-WAN Evil

Good writeup by Marcel Gamma. A story about Silverpeak SD-WAN vulnerabilities discovery / fixing / disclosure.

Good reading for the vendors - don't be like Silverpeak.

...Security researchers make serious accusations against SD-Wan manufacturer Silver Peak. The latter disagrees. Swiss experts are analyzing the case.
By Marcel Gamma,
Silver Peak is accused of laxity in dealing with security issues and in dealing with security researchers who act within the framework of Responsible Disclosure.
The starting point of the research are three vulnerabilities the 9-member group of SD-Wan security researchers at Tomsk University published under the name “SD-WAN New Hope” on Github in April 2020. The vulnerabilities concern Silver Peak, a Gartner-celebrated manufacturer of SD-WAN products, whose products are used by at least two Swiss telcos.
Vulnerability number one according to SD-WAN New Hope: The IPsec UDP protocol implementation in the Silver Peak EdgeConnect product does not offer the claimed “Perfect Forward Secrecy” (PFS). Perfect Forward Secrecy means that the session keys used in an IPsec session cannot be reconstructed from the secret long-term keys after the session has ended.
A second vulnerability, which the researchers believe is just as significant, is that there is no authentication between Orchestrator and EdgeConnect devices. “It is possible to establish a connection between EdgeConnect and Orchestrator devices belonging to different SD-WAN networks,” the researchers say.
Thirdly, the researchers found that there is no authentication between the Silver Peak Cloud portal on the Internet and customers’ EdgeConnect devices. “EdgeConnect does not authenticate the portal. The portal can execute any command on EdgeConnect using the REST API,” says the publication summary on Github.
According to the researchers, the vulnerabilities are severe: “In our view, these vulnerabilities completely compromise the current EdgeConnect software. The vulnerabilities show that the cryptographic layer of the product is broken; the quality of the security mechanisms is very low,” says Denis Kolegov, Ph.D., for 14 years associate professor of computer security at Tomsk University.

All you need is a hacker with script kiddy skills

And how hard was it to find the vulnerabilities? Denis Kolegov explains: “To be honest, some of the vulnerabilities we found are ‘low hanging fruits’ and it is very easy to find and exploit them. You don’t need to hire people with skills like Google’s Project Zero team. All you need is a hacker with script kiddy skills. Other vulnerabilities require cryptographic expertise. We spent about two weeks trying to find the vulnerability in the proprietary IPsec because we had to reverse-engineer some parts of the code and reconstruct the logic, but then found two more vulnerabilities within 2 or 3 hours”.
Kolegov adds, “In my opinion, these vulnerabilities could completely compromise the security of any Silver Peak customer. Furthermore, the third vulnerability has shown that an attacker can compromise the Silver Peak network and its Silver Peak portal and then attack customers or provide a fake portal on the Internet (as we did), change the EdgeConnect configuration, and then route all customer network traffic through the attacker’s network”. This means “that Silver Peak does not understand or does want to understand how to develop secure software in 2020,” writes the security researcher....

Enjoy and Stay Safe

No comments:

Post a Comment