Russian researchers armed with Shodan and Censys have identified nearly 5,000 SD-WANs with vulnerable management interfaces.
It won't surprise anyone, The Register suspects, that most of the problems the three researchers (Denis Kolegov and Antony Nikolaev of Tomsk State University, and DarkMatter's Sergey Gordeychik) discovered are down to "outdated software and insecure configuration".
In this paper at arXiv, they explained how their active and passive fingerprinting showed that vendors or users failing to update their SD-WAN applications and (usually) Linux operating systems made SD-WANs "low-hanging fruit even for a script kiddie".
Among the vendors whose systems they found accessible from the internet were all big, familiar names – Cisco, VMware, Citrix, SilverPeak, Huawei, Arista – along with another nine smaller outfits.
The researchers confined themselves to the management interface only, not touching any data plane interface (for one thing, messing around with the SD-WANs' internals would create a juicy legal jeopardy).
"In general, the accessibility of management interface on the internet indicates the presence of CWE-749 weakness 'Exposed Dangerous Method or Function'," the paper stated.
Having compiled information like "operating system version, web server version, API methods, etc", the researchers could trawl vulnerability disclosures to see what should have been patched, but wasn't – and that's how they concluded that "most" were vulnerable. "Moreover, virtual appliances provided by SD-WAN vendors using cloud services (e.g. AWS Marketplace) are outdated as well," they added.
The researchers have posted their tools, NMAP scripts, Shodan queries and Censys queries at GitHub, here. ®