APIC Fail

Wouldn’t it be wonderful if you do not need to know the nitty-gritty details of your network to operate an application. And imagine that your application is isolated by default and you only configure the required firewall rules (which are, of course, automatically provisioned a few minutes later). Software-defined networking (SDN) makes all of this possible!

But SDNs also come with a downside: If SDN components crash, your network comes to a halt. If SDN components are compromised, all of your network communication may be intercepted and the isolation mechanisms may be bypassed.

In this talk, I will present a vulnerability analysis for one of the major SDN solutions on the market, the Application Centric Infrastructure (ACI) by Cisco. Cisco ACI consists of several Nexus switches in a spine-leaf configuration to provide physical connectivity to endpoints and one or more Application Policy Infrastructure Controller (APIC) to orchestrate the SDN. Several vulnerabilities of the ACI components will be presented, ultimately leading to the scenarios mentioned above.