Vulnerability Discovery and Mechanism
Rapid7 Labs researchers uncovered a critical authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller while investigating a previous flaw. The issue resides in the vdaemon service, which handles control plane peering through DTLS on UDP port 12346. A logic gap in the vbond_proc_challenge_ack() function permits attackers to bypass all certificate verification checks by presenting a device type of vHub, for which no validation code exists. This allows an unauthenticated remote attacker to establish a fully trusted control plane connection without any valid credentials or knowledge of the network topology.
Exploitation and Impact
The attack chain is remarkably simple. An attacker completes a DTLS handshake with any self-signed certificate, receives a challenge, and responds with a CHALLENGE_ACK message claiming to be a vHub device. The authentication flag is set unconditionally, granting the attacker trusted peer status. Once authenticated, the attacker can inject SSH public keys into the authorized_keys file of the vmanage-admin account, gaining persistent, credential independent access to the NETCONF service on TCP port 830. From this position, an adversary can read and manipulate running network configurations across the entire SD-WAN fabric. Rapid7 has developed a working Metasploit module demonstrating this exploit chain. Cisco has released patches, and administrators are urged to apply them immediately to prevent complete network compromise.
Source: Cyber Security News
