Vulnerability Research and Emerging Threats

Cisco SD-WAN: vManage Vulnerability

Public Disclosure of Vulnerability Affecting the vManage Component of Cisco’s SD-WAN

CommentShare

During a penetration test, Black Lantern Security (BLS) was tasked with assessing various components of a customer’s Cisco SD-WAN implementation. While performing the penetration test, BLS discovered that an unauthenticated remote attacker could enumerate user accounts on the vManage component of Cisco’s SD-WAN.

Cisco SD-WAN Overview

For those unfamiliar with Cisco’s SD-WAN, here is a brief overview of its components.

normal_auth_request
Workflow of Cisco’s SD-WAN Compnents

  • The vManage is used to administer all of the devices within the SD-WAN from a web interface

  • The vSmart handles the implementation of policies and connectivity between SD-WAN branches

  • The vEdge routers are the gateways at the branches used to connect to the SD-WAN

  • The vBond is the internet facing component that connects to each of vEdge routers to establish a secure connection to the network

Even though it is hosted externally in the cloud, in the majority of implementations access to the vManage is handled by white listing only the IP addresses that need to have access to it.

CVE-2021-1486

Normally, vManage users authenticate by sending a POST request containing their credentials to the /j_securitycheck endpoint.

normal_auth_request
Using the /jsecuritycheck Endpoint to Authenticate with vMange

Although undocumented, it was discovered that vManage allows users to also supply a HTTP Basic Authorization header for authentication.

allows_http_basic_auth
Using an HTTP Basic Authorization Header to Authenticate with vManage

While further evaluating this method of authenticating, it was observed that, if a username that did not exist was supplied in the HTTP Basic Authorization header, the server would take significantly longer to respond

user_enumeration
Comparing request response times when supplying a username that exists and a username that does not exist

An attacker could utilize the difference in response times to launch a brute force attack. This could result in the attacker obtaining valid usernames for vManage accounts.

Since Cisco’s vMange is a closed source product, BLS was unable to determine the root cause of the user account enumeration during the penetration test. However, Cisco’s security advisory states that the root cause of the user account enumeration was vManage’s “improper handling of HTTP headers.”

Timeline

2021-02-01: Reported Vulnerability to Cisco’s PSIRT
2021-03-05: Vulnerability Assigned CVE-2021-1486
2021-05-05: Public Disclosure

References

  1. https://attack.mitre.org/techniques/T1087/

  2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-enumeration-64eNnDKy

  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1486

Share

CommentShare