DeepSec2019 Talk: SD-WAN Secure Communications Design and Vulnerabilities – Denis Kolegov

Hardening communication protocols against network attacks is hard. And yet a lot of products are available on the market that allow you to transport data and messages. Since virtualisation entered the world of technology all things software-definded (SD) have become popular. Denis Kolegov will explain at DeepSec 2019 what the state of affairs in terms of information security is.

The SD-WAN New Hope project targets the security of SD-WAN (software defined wide area network) products. It was started in December 2017, when a customer decided to buy a very secure and well-known SD-WAN product from one of the Top 5 vendors and wanted us to perform threat modelling and a vulnerability assessment. We were doing that for 6 months and found out that the product was awful from a security perspective. It had multiple critical vulnerabilities to RCE, XXE, SQLi, unpatched software, outdated packages, no access control, etc. It seemed that we were investigating an especially vulnerable application for a Capture The Flag (CTF) or security training. We decided to find out whether other SD-WAN products are like this.

It is the end of 2019 and SDx technologies are very popular. They are everywhere. SD-WAN is used as cloud security or network transport platform. Vendors are developing SD-LAN, SD-CORE, SD-VPN, SD-Access and SD-DC products. SD-News write AI-based routing, machine learning, secure network platform unification and state-of-the-art monitoring.At the time of writing, Metro Ethernet Forum (MEF) has unveiled its “Long-Awaited SD-WAN Standard”.

At the moment, we have examined the following products:

  • Versa
  • Citrix SD-WAN
  • Fortinet SD-WAN
  • SilverPeak
  • RiverBed
  • Brain4Net
  • Cisco / Viptela
  • Viprinet

In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN secure communication mechanisms and disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We consider some technical details of secure and insecure designs, weak attestation, zero-touch provisioning vulnerabilities, and none-TLS related padding oracle attacks. We also present the results of SD-WAN large-scale scan for vulnerabilities to common attacks in TLS implementations on the Internet.

SD-WAN New Hop(e) results can be found on this link: https://github.com/sdnewhop/sdwannewhope

 

Denis Kolegov is a principal security researcher at BiZone LLC and an associate professor of Computer Security at Tomsk State University. His research focuses on network security, web application security, cryptography engineering, and covert communications. He holds a PhD and an associate professor degree. Denis presented at various international security conferences including Power of Community, Area41, SecurityFest, Zero Nights, Positive Hack Days, InsomniHack and SibeCrypt.

Tags: , , , ,

Leave a Comment