SD-WAN a New Hop
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 165 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39345 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
00:00
SoftwareCybersexInformation securityProduct (business)Hacker (term)Position operatorEvent horizonService (economics)Lecture/Conference
01:10
SpacetimeCybersexSign (mathematics)Service (economics)Product (business)Computer programInformation securitySystem on a chipFirewall (computing)Semiconductor memoryLecture/ConferenceComputer animation
01:53
Water vaporSoftwareWide area networkComputing platformRouter (computing)Computer networkVirtual machineOperations researchIntelMachine learningException handlingSoftwareMathematical optimizationOperator (mathematics)Computer animation
02:38
Computer networkLetterpress printingEmailInformation securityWide area networkAreaSlide ruleCodecMereologyArchitectureSynchronizationWeb portalData storage deviceGame controllerRepository (publishing)Service (economics)SoftwareGoodness of fitAreaComputer animationProgram flowchart
03:18
Wide area networkSoftwareOperator (mathematics)Endliche ModelltheorieServer (computing)LastteilungDifferent (Kate Ryan album)CASE <Informatik>Latent heatÜbertragungsfunktionDiagramProgram flowchart
04:23
Control flowPlane (geometry)Flow separationComputer networkComponent-based software engineeringGame controllerDigital rights managementPublic domainComputer hardwareInterface (computing)SoftwareImplementationFunction (mathematics)Functional (mathematics)Block (periodic table)ArchitectureSoftware frameworkOperator (mathematics)Service (economics)VirtualizationPhysical systemComputer hardwareMedical imagingFirewall (computing)SoftwareMessage passingProcess (computing)PlanningGame controllerServer (computing)ÜbertragungsfunktionWeb applicationOperating systemDifferent (Kate Ryan album)Digital rights managementComputer animationEngineering drawing
06:20
Service (economics)Information securityChainingOverlay-NetzVirtuelles privates NetzwerkPolygon meshAerodynamicsFunction (mathematics)System on a chipPoint cloudBranch (computer science)Perspective (visual)Latent heatBranch (computer science)Level (video gaming)Point cloudComputer fileÜbertragungsfunktionDifferent (Kate Ryan album)Hash functionCuboidGoodness of fitVirtuelles privates NetzwerkContent (media)Process (computing)Rule of inferenceAntivirus softwareComputer animation
07:40
Computer networkInformation securityWide area networkBand matrixHacker (term)Information securityHacker (term)CASE <Informatik>SoftwareSoftware development kitDifferent (Kate Ryan album)Computer animationMeeting/Interview
08:26
Wide area networkVirtual realityTelecommunicationProgramming paradigmRootCodePhysical systemPatch (Unix)File systemChecklistMathematical analysisDifferent (Kate Ryan album)Physical systemInstance (computer science)Backdoor (computing)Computer animation
09:25
GoogolAsynchronous Transfer ModeSystem administratorPasswordSoftware testingExploit (computer security)Physical systemLoginMenu (computing)Gastropod shellString (computer science)RootRevision controlVulnerability (computing)PasswordSystem administratorScripting languageInstance (computer science)Source codeComputer animationXML
10:18
AnglePasswordRepetitionCodeBlogComputer fileException handlingError messageVideo game consoleFormal grammarAcoustic shadowGraph (mathematics)CodeString (computer science)VirtualizationComputer data loggingDatabaseComputer fileConfiguration spaceVideo gameDifferent (Kate Ryan album)Computer forensicsPasswordConnected spaceAcoustic shadowUniform resource locatorInformationLoginEncryptionSource codeComputer animation
11:10
Computer forensicsMessage passingPasswordInformationPasswordArithmetic progressionGastropod shellScripting languageSimilarity (geometry)SoftwareForcing (mathematics)BootingFilm editingHash functionSystem administratorXML
12:10
Hash functionPasswordData modelDefault (computer science)System administratorPatch (Unix)Acoustic shadowBootingScripting languageInterface (computing)Gastropod shellForceSystem administratorSoftwareRoutingCASE <Informatik>Enterprise architecturePasswordInformation securityScripting languageRemote procedure callMathematicsBootingRootAcoustic shadowConfiguration spaceHash functionPatch (Unix)Instance (computer science)Digital rights managementComputer animation
13:05
Wide area networkInformation securityVirtuelles privates NetzwerkService (economics)Point (geometry)Physical systemView (database)Virtual realityTopologyStack (abstract data type)Open setGraphics processing unitMathematicsResultantMaxima and minimaHacker (term)Mixed realityView (database)Point (geometry)Systems engineeringSource codeComputer animation
13:44
Physical systemPoint (geometry)View (database)Virtual realityService (economics)Graphics processing unitMathematicsCryptographyInterface (computing)TopologyComputer hardwarePatch (Unix)Interface (computing)Shared memoryVirtualizationOperating systemDigital rights managementRemote procedure callService (economics)Different (Kate Ryan album)CASE <Informatik>Diagram
14:24
Total S.A.Client (computing)Server (computing)Patch (Unix)Level (video gaming)Dynamic Host Configuration ProtocolInformation securityKernel (computing)CuboidDigital rights managementVulnerability (computing)FreewarePort scannerLibrary (computing)Information securityFunctional (mathematics)SoftwareOpen setLevel (video gaming)Instance (computer science)Patch (Unix)CuboidComponent-based software engineeringComputer animation
15:10
Computer filePoint cloudLocal GroupConfiguration spaceProduct (business)Operating systemPoint (geometry)SoftwareInjektivitätVulnerability (computing)Scripting languageView (database)Interface (computing)CASE <Informatik>Digital rights managementUser interfaceWeb servicePhysical systemJSONUML
16:21
View (database)IcosahedronPublic-key infrastructureOpen setDataflowPlane (geometry)Digital rights managementBranch (computer science)Transport Layer SecurityControl flowWorld Wide Web ConsortiumInterface (computing)InformationDensity of statesJava appletMixed realityServer (computing)Software developerClient (computing)IBM Client AccessHost Identity ProtocolZugriffskontrolleDigital rights managementComponent-based software engineeringPerspective (visual)Open sourceSoftwareWeb 2.0CASE <Informatik>Software developerClient (computing)Mixed realityUser interfaceServer (computing)Java appletPhysical systemProgram flowchartComputer animation
17:50
WebsiteFlash memoryWide area networkSurfaceGraphical user interfaceBlock (periodic table)Information securityClient (computing)World Wide Web ConsortiumVirtuelles privates NetzwerkRouter (computing)WritingPublic key certificateFingerprintDependent and independent variablesCross-site scriptingUser interfaceCartesian coordinate systemProduct (business)Dependent and independent variablesDigital rights managementProper mapBlock (periodic table)Client (computing)Graphical user interfaceCASE <Informatik>Server (computing)Public key certificateCombinational logicGame controllerAuthenticationComputer animation
19:08
Function (mathematics)Server (computing)Client (computing)Client (computing)Web pagePasswordFunctional (mathematics)LoginServer (computing)CASE <Informatik>AuthenticationCuboidWeb browserDifferent (Kate Ryan album)Computer animation
20:24
TelnetDigital rights managementDatabaseOpen sourceGastropod shellDigital rights managementRemote procedure callKeyboard shortcutComputerVirtualizationLocal ringCuboidInstance (computer science)Connected spaceComponent-based software engineeringFunctional (mathematics)Virtual machineIP addressSystem administratorUser interfaceProgram flowchart
22:07
Digital rights managementProcess (computing)CuboidInstance (computer science)Cartesian coordinate systemBranch (computer science)Stack (abstract data type)Vulnerability (computing)Level (video gaming)Web applicationOperating systemDigital rights managementVirtualizationÜbertragungsfunktionPlanningCASE <Informatik>CodeCoprocessorComputer animationProgram flowchart
23:09
Exploit (computer security)Function (mathematics)Sign (mathematics)Binary fileAuthenticationComputer fileCondition numberDataflowInteractive televisionFluid staticsSoftware testingRootCodePasswordHTTP cookieGastropod shellBridging (networking)Point cloudWide area networkData typeContent (media)Instance (computer science)Online helpCodeInteractive televisionCartesian coordinate systemSoftwareVulnerability (computing)Position operatorPhysical systemMathematical analysisCASE <Informatik>Computer animation
24:01
Acoustic shadowProgramming language9K33 OsaFrame problemCache (computing)Control flowContent (media)Computer configurationVirtuelles privates NetzwerkVirtual realityData storage deviceCommon Language InfrastructureTransport Layer SecurityServer (computing)RobotWide area networkPhysical systemRevision controlLeakMessage passingLink (knot theory)PasswordEmailHost Identity ProtocolGateway (telecommunications)Network socketSpywareProxy serverComputer networkZugriffskontrolleMechanism designFunction (mathematics)AuthorizationMultiplicationInjektivitätService (economics)InformationAuthenticationWebsiteData bufferBuffer overflowClient (computing)Vulnerability (computing)Computer fileElectronic mailing listAcoustic shadowTraverse (surveying)Source codeInteractive televisionMathematical analysisComputer animationSource code
24:39
CryptographyTransport Layer SecurityRSA (algorithm)Advanced Encryption StandardIntrusion detection systemEncryptionSuite (music)Parameter (computer programming)Asynchronous Transfer ModeDensity of statesPublic key certificateMechanism designInterface (computing)Vertex (graph theory)Configuration spaceDifferent (Kate Ryan album)Key (cryptography)Public key certificateInstance (computer science)CASE <Informatik>IPSecInterface (computing)Digital rights managementEncryptionInformation securityCryptographyVideo gameSuite (music)Real numberComputer animation
25:53
Public key certificateWeightNP-hardBranch (computer science)RSA (algorithm)Transport Layer SecurityAdvanced Encryption StandardWide area networkControl flowKey (cryptography)Digital rights managementInterface (computing)Communications protocolGame controllerPlanningPublic key certificatePublic-key cryptographyInformation securityTransport Layer SecurityTelecommunicationCommunications protocolVulnerability (computing)Metropolitan area networkDigital rights managementWeb applicationFile systemComputer animation
27:41
Regulärer Ausdruck <Textverarbeitung>Density of statesInformation securitySoftware testingDefault (computer science)Multiplication signBefehlsprozessorRegulärer Ausdruck <Textverarbeitung>Software development kitQuery languageSource code
28:25
Data bufferBacktrackingMereologyPresentation of a groupReverse engineeringFunctional (mathematics)XMLComputer animation
29:06
Component-based software engineeringZugriffskontrolleClient (computing)Read-only memoryGame controllerPhysical systemVulnerability (computing)Component-based software engineeringProduct (business)Social classComputer animation
29:45
Touch typingPoint cloudDigital rights managementControl flowFirmwareTelnetVideo game consoleUniform resource locatorUniqueness quantificationPoint cloudOffice suiteBranch (computer science)Configuration spaceOperator (mathematics)InternetworkingConnected spaceServer (computing)Touch typingInstance (computer science)Lecture/Conference
30:34
Touch typingNormed vector spaceUDP <Protokoll>Time zoneBranch (computer science)Wide area networkInternetworkingConfiguration spacePlotterInformation securityInjektivitätServer (computing)Revision controlVulnerability (computing)Service (economics)Office suitePhysical systemNumbering schemeInformation securityConnected spaceService (economics)Perspective (visual)Configuration spacePresentation of a groupTouch typingServer (computing)Point cloudComputer animationProgram flowchart
31:22
Server (computing)Duality (mathematics)Revision controlStandard deviationWide area networkElectric currentSoftwareRouter (computing)Point cloud1 (number)Digital rights managementComputer-generated imageryScalable Coherent InterfaceStatisticsInformation securitySoftwarePerimeterVulnerability (computing)Server (computing)InjektivitätInternetworkingMetropolitan area networkTouch typingDefault (computer science)Patch (Unix)Cloud computingMedical imagingProduct (business)Physical systemWindowRevision controlComputer wormStatisticsForcing (mathematics)Distribution (mathematics)Digital rights managementPoint cloudImplementationLine (geometry)InformationPerspective (visual)CodeCASE <Informatik>Computer animation
33:54
CodeWide area networkInformation securityMereologyInformation securityEmailIncidence algebraDependent and independent variablesVulnerability (computing)Traffic reportingProduct (business)Meeting/InterviewComputer animation
34:34
EmailInformation securityInformationAddress spaceDependent and independent variablesDependent and independent variablesProduct (business)Information securityIncidence algebraEmailVulnerability (computing)Link (knot theory)Computer animation
35:30
Generic programmingInternetworkingSurfaceComputer networkPoint cloudDesign by contractGeneric programmingEmailTable (information)Vulnerability (computing)Web serviceInternetworkingComputer animation
36:34
InternetworkingPort scannerWide area networkRevision controlFingerprintGoogolScripting languageScalable Coherent InterfaceDifferent (Kate Ryan album)Computing platformFingerprintScripting languageSearch engine (computing)GoogolInternetworkingComputer animationDiagram
37:17
Patch (Unix)Level (video gaming)Wide area networkLeakDensity of statesData bufferClient (computing)Read-only memoryComputer fileLocal ringFlow separationVertex (graph theory)CASE <Informatik>InternetworkingMappingVulnerability (computing)Open setInterface (computing)Level (video gaming)Digital rights managementOpen sourcePatch (Unix)Computer animation
38:11
Amsterdam Ordnance DatumScripting languageWide area networkFingerprintPort scannerComputer networkMassInternetworkingDatabaseSoftwareInternetworkingRevision controlInformationScripting languageSoftware testingGoogol
38:52
Router (computing)Link (knot theory)Information securityMathematicsSample (statistics)Random numberEmailDefault (computer science)PasswordLevel (video gaming)Web 2.0SoftwareDifferent (Kate Ryan album)InternetworkingIP addressElektronisches MarketingEnterprise architectureComputer animationSource code
39:39
LoginExecution unitAuthenticationPasswordDigital rights managementInterface (computing)Web browserAddress spaceOpen setDefault (computer science)Physical systemString (computer science)Information securityProduct (business)Duality (mathematics)PasswordDefault (computer science)Service (economics)Instance (computer science)XMLUMLComputer animation
40:30
Wide area networkModul <Datentyp>PasswordSystem programmingFingerprintThread (computing)FingerprintDescriptive statisticsVulnerability (computing)Endliche ModelltheorieCartesian closed categoryComputer animation
41:11
Wide area networkOpen sourceIPSecInformation securityRule of inferenceIntrusion detection systemProcess (computing)Digital filterFirewall (computing)Software developerPerspective (visual)Default (computer science)Open sourcePoint cloudConfiguration spaceComputer animation
42:03
Wide area networkCapability Maturity ModelOpen sourceProduct (business)Complex (psychology)Default (computer science)Patch (Unix)Digital rights managementInterface (computing)Point cloudHacker (term)Interface (computing)IPSecPublic key certificateVirtual machineDigital rights managementPasswordPatch (Unix)SoftwarePoint cloudProduct (business)Default (computer science)Dependent and independent variablesComputer animation
42:42
EmailMaxima and minimaGroup actionServer (computing)RandomizationUser interfaceGeneric programmingComputer animationLecture/Conference
43:42
Different (Kate Ryan album)Vulnerability (computing)Scripting languageCommunications protocolInformation securityStandard deviationCodeDigital rights managementImplementationWind tunnelVirtualizationVirtual machineEncapsulation (object-oriented programming)Software bugLecture/Conference
45:15
CASE <Informatik>VirtualizationNP-hardInformation securityScripting languageKernel (computing)Default (computer science)Level (video gaming)Configuration spaceÜbertragungsfunktionMultiplication signVirtual machinePatch (Unix)Revision controlLecture/Conference
47:12
Wide area networkInterface (computing)Digital rights managementComputer networkTouch typingPoint cloudWeb 2.0TowerElectronic mailing listSlide rulePasswordRoundness (object)Right angleLoginLecture/ConferenceComputer animation
48:30
Semiconductor memoryCartesian closed categoryDiagram
Transcript: English(auto-generated)
00:18
Our next speaker is Sergei Gordychik. Sergei has been doing security research, products
00:25
and services for the past 15 years, more than 15 years. Since 2011, he's director and scriptwriter at Positive Hack Days Forum, the largest cyber security event in Eastern Europe. Sergei has, for instance, been working at Kaspersky Lab and Positive
00:43
Technologies. He's also a visiting professor at Harbor Space University in Barcelona and leader of the SCADA Strangela industrial cyber security research team. Today, Sergei will talk about how to hack software-defined networks and keeping your sanity while doing it.
01:03
Let's give a warm round of applause for Sergei Gordychik. Hello, hello, good night. Let's start to refresh on memories. This is a big honor for me to speak on
01:23
the 35 C3 because my first talk here was on 29 C3 with SCADA Strangela team and I think I can skip this introduction. Thanks for our host because everything is here and what I want to say about me, still I am very Russian, living in Abu Dhabi
01:50
and do all this stuff because I saw his album in the airplane when I fly here. So, except Bitcoin only. So, let's start to talk about software-defined networks.
02:04
What is software-defined networks in general and is the one in particular case? It's magic. So, according to Gartner, it will kill MPLS, it will replace all your Cisco and Juniper devices or Huawei if you prefer Chinese, but it's bad, you know, according to the last news.
02:24
And it will solve all your network problems because it has AI inside and it will magically optimize network operations and do everything including security. So, because it's perfectly
02:41
safe to implement acquired area networks efficiently and securely. So, okay, sounds good. What is actually software-defined networks? It's so simple. If you are familiar with the
03:04
software-defined networks, it's quite different. And when we tried with our team to understand how it works, our first impression was like this. We are hackers, we don't want to deal with
03:23
this shit, but the only challenge we met before you hack something, you need to actually activate it and make it work. That is why we start to understand how software-defined networks and SD-WAN works. So, what's the main difference between traditional LAN and SD-WAN?
03:45
In traditional LAN, you have different device which solve very specific purpose, for instance, switches or routing or firewalling or network load balancing. In case of SD-WAN, you have just a server which runs operation systems, in most cases like Linux. And on the top of this
04:08
operation system, you have very specific models like CP which do specific network functions. It can be firewalling, it can be routing, it can be switching, it can be network load balancing.
04:23
So, you replace specific devices with one big server which magically do everything with AI, and in the cloud, sure. So, in the SD-WAN, we have several layers. So, all is data plan,
04:45
when actually you process packets and decide how to go it, in which way, how to firewall or drop it. We have control plan which manage different routers, different devices. We have
05:01
management plan which can help to apply policies and orchestration plan, because it's serious things that should have something which called orchestration. On the technical plan, again, we have hardware with operation system and the layer which called
05:24
network function virtualization. What's network function virtualization? The way to apply different network functions to the specific device. It's very useful, for instance, to the
05:41
network operators who will provide you with the specific box, and if you want to activate any functions, this can be a web application firewall or the sandboxes, we just upload very specific virtual machine, it can be a docker, it can be a kvm image to your hardware and you
06:05
can start to use it. Because inside of this box, you already have all the system infrastructure which process packets and passes from one virtual network function to the other. This helps to organize things like the service chaining, so you can distribute
06:28
different network function on the branch level, in the cloud level or on the HQ level. For instance, things like content filtering which can be very heavy from performance perspective
06:43
can be distributed. As example, on the branch level you can use simple things like the antivirus to process content. On the HQ level, you can use more heavy things like sandboxing and if antivirus or specific rules see that this content is suspicious, it will forward it to
07:06
HQ through the MPLS or other VPN and the next process is in the HQ. Or you can also analyze it in the cloud for the simple things like the cloud threat intelligence, where actually
07:26
your SD1 box will send MD5 hash to the cloud and check is it good contact on that, or send all files to the cloud to double check it. Not bad and I think that is why SD1 becomes more
07:46
popular and you can see that even military guys in the US decide to switch to SD1 because of security, cost saving and all these benefits. Okay, security sounds very familiar for us
08:02
and we decided to obviously hack it. I think most of you have experience in hacking of different network appliances and you know that sometimes you need to have complex things like an RNS soldering kit or a debugger, JIT, et cetera, but not in this case because SD1
08:26
actually is not appliance, is a virtual appliance and to start hack it all you need is to go to the AWS or Azure and just activate this virtual appliance for, I don't know, 10 bucks per month
08:43
and next step is get root on it. It's a very good talk presented on different conferences including zero nights, how to hack virtual appliance and we use this like a
09:00
checklist for our research because if you hack virtual appliance you already have access to this system. You can mount file system to the other virtual appliance, you can grab ETC shadow, you can find a lot of different backdoors just through the static analysis.
09:23
But all the good things start from the Google. For instance to find admin password for one of the SD1 appliance we just Google for GitHub and found that most of the scripts which use it to automate with appliance use username administrator and password
09:46
Versa 123 and actually we found that this username and password is hardcoded there because there is no way to change it. Next step to root it is just to Google for
10:03
old vulnerabilities. For instance in Silver Peak we found that guys had reported vulnerability in September 2015 and it's still working in March 2018. So Google works because Google is fully strong with this one.
10:23
Next thing is graphics always work as a strings you know and using graph and code password you can find a lot of interesting things like hardcoded password in different location in the configuration files in the database connection string in the system logs
10:47
because again it's virtual appliance and someone had deployed before you start to use it. So in the logs there are a lot of life interesting information. In the shadow file like in the
11:00
one of Cisco appliance etc shadow file which use this encryption in 2018. You can do some forensics because again if you get virtual appliance someone had deployed and sometimes we're trying to hide with this and you can see that the
11:23
cut in bash history you can find that someone ram scrub AWS shell script which actually set up a different password etc. So if you somehow can recover with skip you find a lot of interesting information this kind of password of admin users and you can see that
11:49
from this password you can find the hash and next try to boot the force it's just was my guess but maybe because there's I have password there's a one two three maybe other network
12:04
appliance like silver peak have similar password silver peak one two three and this guess was successful and it's good because you cannot stop the progress if you have experience with red teaming in the enterprise network you know that Cisco Cisco or Huawei
12:21
with the administrator and Huawei one two three it's quite common password in this case it's more complex things sometimes very lit like we stutter in network stuff you know but still if you did not get the route with these simple steps again it's virtual appliance and you can always
12:44
patch it so you can change for instance hashes in the etc shadow you can change boot script you can change remote management configuration the password and next boot in this configuration and
13:00
get root password to do next step security assessment so security assessment at the beginning we did in very you know not scientific way we just hack all the things but after all we did some let's say scientific research and we have an article i will give you
13:27
a link like as the one threat landscape with the step-by-step assessment what you should hack to get maximum results but let's like mix this thing with funny hacks and the
13:44
scientific approach so from the system engineer point of view as the one have hardware which of the share hardware operation system in most cases again of the shelf Linux and different virtual services let's start from the operation system because
14:06
again again everything's you saw in the recent talk about bmc and remote management interfaces related to hardware it still works here unless it's disabled by the vendor but it's
14:23
highly unlike it on operation system we did very simple research we just check the patch of the all components installed on this box and you can see that patch level
14:41
ridiculously old for instance the oldest things we found it was an open SSL library which was released in may 2006 it's for network devices with security functions but our guess was that they choose this library because this library too old to be vulnerable to heartbleed attack
15:09
and as the one wins because oldest library open necessarily library we found in commercial product was in the same before was in the cement semantic win cc which was released in 2007
15:27
so as the one is like old school really next thing related to operation system configuration is sudo and it's actually everywhere and actually everywhere for management interfaces including web
15:42
services shell etc and it's implemented in terrible way as you can see uh triple w data have all ability to execute all command and some scripts just execute
16:02
execute any command through the sudo that is why if you have any small vulnerabilities in the web interfaces like in this case it's a command injection you can execute command with sudo so it's again 1990s next point it's a software not system but software design point of view
16:29
it's from software design there are a lot of open source components which implement ipsec routing but from management perspective we use mostly http and things around it so
16:48
let's analyze http and web management interfaces so in this case it's not so old school like a system aside everything and base it on node gs and javascript it's like very cool but under
17:05
the hood you can find hardcore mix from the pearl java php whatever which like i don't know looks like the guys developed with the last 10 years with all this modern node gs stuff developers
17:20
confuse the client and the server because you know javascript's on both sides and it's hard to understand where is the server with client side i will show you examples and there are a lot of simple things like a slow http dose attacks which should be fixed for a long
17:41
time ago but still you can stop web interface with few http requests so few examples about client side json csrf is everywhere so almost no web interface implement
18:03
protection from cross-site requests forgery in proper way xss is everywhere and this is not a problem so as a response from the product manager of one vendor they told me that xss from cross-site scripting for where application is not the issue because chrome blocks it
18:26
it's just an example of using xss on such appliances um in this appliance we can use a combination of the xss and cross-site requires forgery
18:43
to download and upload a certificate which use it to authenticate with the server which like control plant with management server it's just one http request and obviously there is no response from the vendor we just silently fix it so we decide to publish it
19:06
for the full disclosure one example of the perfect authentication so in this case you can see that this client side javascript which just send request to the server to the login status
19:23
function and if user is gorgeous is go to the request page in our case go to the username and password page so this 100 client side no other checks on the server side just
19:41
if you can change it second example is just perfect so guy i think he tried to port the uh authentication from the server side to client side understand what this javascript which still javascript but it doesn't work in browser and he just like commented and say if username
20:05
is uh with and password is this then go home so authentication is passed so this thing so highlighted box so with authentication on this box
20:23
next funny things which are related to sd1 is about different privilege escalation if you're already able to get access to any of virtual appliances inside you can try to
20:42
establish connection from this appliance to other appliance through the and the local host function so why it can be interesting because there are a lot of open source components for the remote management for instance like shell in the box which provide you
21:03
like shell through the web interface or mooning or solar which like system management boxes we just uh bind it to local host so you cannot establish connection from outside because it's listening to the local host but if you're already on this box
21:23
and you can connect from this box to local host when this establish this connection works and this works because on each virtual on which appliance you have a lot of virtual appliance which still listen to one ip addresses if you have experience with the docker for instance
21:48
so all docker's container have own ip address but from the all for all computer is actually connection from local host so if you own any of the virtual appliance you can own
22:03
next all virtual machines installed here this give us different interesting ways to escalate privilege inside the box for instance if you able to let me switch to the
22:20
laser pointer you can see it okay if you can get access to traffic processor for instance for the some tcp stack vulnerabilities next you can get access to management application and this management application in most cases have no any traffic filtering and trust to
22:44
management application of all virtual network functions which run on this appliance so you can uh do horizontal privilege escalation or next jump down to operation system level and and next go to the management plan upstairs to the management applies but it's
23:08
it's really boring to find web application vulnerabilities in such a big amount of code which is why we just download this code from the different network applies and drop it into the
23:22
interactive code analysis system in this case we use positive technologies application inspector and this help us to find a lot of vulnerabilities including such funny things like for instance poorly patched vulnerability in the the citrix sd1 which was patched in 2017 but it still works
23:49
if you use not get a http request but post a http request so we patched it once again uh in this in this case better uh also it's yoda style uh yoda lesson style uh
24:07
vulnerability so it's obviously patch traversal but it's just reminded that attachments lead to the jealousy and the shadow of grit that is so if you send attachment
24:21
shadow you can get shadow file so this is a full list of sorry a full list of vulnerabilities we found during just source code analysis without you know brain interaction
24:40
next step is crypto because the security appliance it shouldn't implement cryptography and there are two things is ssl tils and typysac in most cases ssl tils is used to protect management interfaces between the different appliances and because it's automatic if use
25:05
a different kind of automatic setup we found that there are a lot of things related to the unsecured configuration for instance we can use ssl tils without forward secrecy so if you
25:20
have access to the certificate you can sniff off traffic in devout full men in the middle different things related to the old cipher suits like uh tripod desk or rc4 for ipsec we found that in most cases we used a very strange way to select a certificate or the
25:48
uh appreciated keys which in most cases just hard-coded so one example from real life our example we will publish soon from again citrix netscaler
26:02
these appliances use master control node protocol to communicate between the orchestration plan control plan and the data plan it's runs on the tcp 2156 and use tls without forward perfect secrecy and what interesting
26:26
certificate located in the home gallery user certificates and account not ww data have full access to this certificate for some reason i don't know
26:41
okay it should maybe read it but why to write and what interesting all sd1 appliances we able to find during our security assessment we use same key uh pair which located in appliance so all sd1 appliances in the world used to protect communication between and management
27:07
engine same key pair so if you know this keeper and it's obviously you can just cut it from the file system you can passively or actively sniff traffic do man in the middle
27:23
spoof management appliance and if you this device have any web application vulnerability you can override it i don't know why but maybe if in next turn they will change this certificate you can download alt and do man in the middle again
27:44
interesting stuff we found we run some tests from the uh dose attacks and found that suricata which use it in sd1 appliance other ideas
28:03
is vulnerable to regards dose so it's a old story some regular expression can uh spend a lot of cpu time if you send specific queries it was fixed in the default suricata kit but still work in some modern sd1 solution
28:26
and for sure if you do some fuzzing it's always work and give you some fun unfortunately we cannot present reverse engineering part because most of such sd1 solution we have restriction in the license and agreement to the reverse engineering but
28:46
just for fun i think that some of engineers they also love star wars and have marvel that is why initialization functions cause marvel sucks so just an overview of detected
29:09
vulnerabilities so green is good or bad so good for vendor but for us we are unable to detect it but you can see that most of classes of vulnerabilities like hardcodes broken
29:23
access control old products or linux components or third-party components were in most of uh such system you can find it is most of such system so just select any sd1 and make shot
29:46
interesting thing is the one is zero touch deployment so the fee it's a very cool feature for instance let's imagine that you have a branch office you need to deploy a branch office
30:01
with sd1 it's absolutely not necessary to go where or establish telnet or ssh connection and try to upload configuration all you need is just to ship this device note with unique id set up it through the cloud console and ship this device to a remote location
30:22
this device will automatically connect to any internet it see around connect to the cloud server download configuration and start operation so for that for example how it works in the citrix system we have these appliance which ship it to the office it's first try to
30:46
establish connection with the surrounded appliance if no it's try to go to the zero touch deployment service present own id and next this service will provide all configuration which you
31:01
upload through the your sd1 center so from security perspective this scheme looks terrible why because this sd1 on cloud deployment server should be friendly but any attacker not if you no id if you can brute force with id you can pretend to be this device if you have any
31:28
weaknesses in implementation of this management servers you can own all devices which deployed from the service and as you can see even cisco which is like the best device from security
31:42
perspective we found on this product line let's say i have enough vulnerabilities it's and this you can see that zero touch provision in command injection vulnerability so
32:01
it's cloud server which to which all network device should connect sometimes but also we found very funny things related to the distribution of this device because as i told you in the beginning most of such device can be
32:23
activated as a cloud appliance through the aws or the other cloud services and we found that most of default images use old version with non-vulnerabilities so you go to aws
32:43
you trust the vendor you activate the system and you receive attack because where there is no vulnerability it's remind me in those story i'm really old man sorry you know code red nimda this kind of what kiddo this kind of war of worms and this real disaster
33:04
when you just install fresh windows 2000 which have internet information server by default and just connect it into internet to download patches you receive a new infection and need to
33:20
reinstall it from the beginning so these things look similar for me but is much worse because in this case is a security network device installed on the perimeter of your network this overview of up-to-date statistics you can see that
33:42
very few vendors actually no one of vendors have up-to-date version in the deployed on aws or internet so i think it's abuse of the force but it's also a very interesting part of story as a security researchers we always work
34:07
in the responsible disclosure way and as you can see according to this article some vendors we also understand that responsible disclosure is very important to communicate with community to fix
34:24
issues and we even have product security incident response team in place great but when we try to submit vulnerability report to this vendor we unable to find the email of this
34:42
product security incident response team so there is no pool we try to google for it a different way no luck but we found that guys who did similar research before when they found a great way sent email to CEO of this company
35:03
unfortunately my googly-foo is not good enough but i am unable to find email but i found this guy and i link it in and he answered it in few minutes actually and put me in contact so if you try to deal with SD-WAN vulnerability reporting just
35:28
do this way so we prepared this table about different vendors how they communicate with researchers
35:41
and you can see that actually Cisco, Citrix and the lockout which actually they were not bad but all the rest it's just the beginning this is my favorite mail from the one vendor when we send notification we start to ask me why we send this email
36:06
from the gmail do we have official id what they mean i need to present my passport or whatever to submit vulnerabilities but the funniest thing here this vendor
36:21
wrote that where device is not generic web service which have full access full internet explosion so after reading this email i go sleep and during the night someone told me
36:42
so to understand threatless cape of SD-WAN we built the bunch of script which works on the top of the different search engines like census showdown google and use also nmap
37:01
scripting platform to fingerprint different SD-WAN solution we have a article published as SD-WAN internet census and which and also some tools which can be read
37:20
beautiful maps if you want to present on the house communication congress because in our case it's useless and what we found that there are not so many SD-WAN devices yet in the internet about 3000 management interface which contains no vulnerabilities and you can own it in a few
37:44
minutes and also we built some kind of vulnerability assessment tool which help you to find no vulnerabilities in these SD-WAN devices this like example of for open ssh
38:00
patch level as you can see with like some cvs from 2010 2014 etc this open source you can find it on the github we have two version one SD-WAN harvester which use google
38:22
showdown and census to collect information in all the all the all those internets and also SD-WAN infiltrated infiltrator sorry which is bunch of the network nmap script engine scripts and you can use it during penetration testing so it's not necessary to be
38:43
connected to the internet you can just use it inside the network when we did this research we also found interesting article from silence about dark web market when the web guys
39:04
uh sell usernames in password to different network appliances let's say enterprise level network appliances and we found what worries there are some ip addresses which we found during our
39:23
assessment internet harvesting in this list and in our experience there is no such things as a we tried to find while such appliances can be so easily hacked and obviously the
39:43
default password which hard-coded sometimes never change it is used was used on these appliances we try to reach vendors and say guys maybe it's bad idea to use yeah for instance it's hard-coded snmp not hard-coded by default community like public and
40:09
again public for read-write but they told us that snmp is off by default but still simple showdown search show that more than 200 users of this SD-WAN they enable this
40:25
snmp service and still use default password so we have a lot of tools which publish it in our github and please contribute there are a lot of things to do with
40:44
the new fingerprints for SD-WAN harvester and infiltrator with SD-WAN thread landscape description uh with new vulnerabilities and also it's like special ccc release we start to publish metasploit models for the SD-WAN so
41:06
we have public vulnerability description you can create own models for it uh and conclusions so from my uh in my perspective how SD-WAN uh development lifecycle
41:22
works so someone come with brilliant idea okay let's build SD-WAN because garner told us that it's like brilliant i have in ai in the cloud uh so what we have to do we can download bunch of open sources i put off together setup default routing things and after all
41:45
use it as the one so as the one is a bunch of open source which not bad but still you need to care about it and you need install patches configure in the proper way and maintain
42:02
uh this complex products uh have problems with patch management uh have a lot of management interface like machine to machine and also human to mention interfaces have a lot of big defaults
42:20
like password hard-coded certificate uh psk keys for the ipsec and many vendors unfortunately have uh issues with the patching responsible disclosure and this in the cloud so if you decide to switch your network to the SD-WAN hack it before buy all you will fail so uh thank you for your
42:47
attention i want to ask you to give big hand to the SD-WAN you hope team to dennis maxime nikita alec and anthony uh who did most of the things here i just
43:02
like a frontman of this group thank you so much guys we now have about like 15 minutes uh for questions and you know the rules please
43:26
move to the microphones over there any questions yep aside from kind of generic things that
43:40
any random Linux server can have on web interface on SSH have you looked at any specific uh SD-WAN security problems like with the encapsulation of tunnels or some stuff like that uh so uh SD-WAN you know there is no like technology like SD-WAN so for for SDN there is kind of
44:06
protocol which more or less reuse it in different vendor in different solution and SD-WAN every vendor implement things in own way as an example it's like a citric management protocol etc one thing we did here but we we didn't publish it
44:29
is for the virtualization because again this vnf story very interesting because if you have
44:40
x have vulnerability in any virtual function next you can get access to our virtual machine but again problem here but there is no standard and different vendors call vnf so implement vnf in different way it can be qm it can be just a script which they
45:03
upload to their appliance so you're saying because everyone's writing their own code there are a lot of bugs to find for people who put the work in yeah okay okay and you can just like it's not necessary to try to buy things through the a byte to hack to hack it you can
45:24
go to aws and activate it for free okay mike one please my work is simple there was a lot of vendors that you all were looking um what about juniper is the one
45:40
i did not know yet looking forward for contrail investigation thank you good time and yes please okay say thanks for the talk uh you mentioned a lot of these um virtual machines were like running in hard Linux or something and how do you what are they running it's like
46:04
what patch levels are they usually on these kernels this like always 2.6 or something like uh not always 2.6 it was like the worst example so
46:22
some of us like you know newer so it's not necessary again for network function virtualization uh some vendors they call vnf just a bunch of script they download and change configuration of default sex the sensor and this case we can use
46:42
very old to kernel our way more use more recent version is is sorry yeah that's okay i mean i'm de-hardening how is it telling you really the hardening of the Linux kernel is it like in most cases no way so no up or more or more or things like this no
47:05
security or c Linux nothing all right um your question um have you looked into Cisco Meraki uh no we um for Cisco we sorry it's it's night let me find the list
47:29
ding ding ding for Cisco we did our exercise with the web tower all right last question over there please uh just advice maybe you drop the slide
47:48
in with uh the 90s called they want the password back sorry um because there there were so many uh hard-coded passwords everywhere maybe you just should just drop a slide in
48:03
the 90s called they want the hard-coded passwords or logins back i don't know so it's public things so was that a question you just recommendation
48:22
all right we have a few minutes left but if there are no questions left then i would call it a day um so another warm round of applause
Recommendations
Series of 17 media
Series of 42 media
Series of 29 media
Series of 36 media
Series of 31 media