APIC Fail

by Oliver Matula | Thursday, 2:45pm - 3:15pm

Wouldn’t it be wonderful if you do not need to know the nitty-gritty details of your network to operate an application. And imagine that your application is isolated by default and you only configure the required firewall rules (which are, of course, automatically provisioned a few minutes later). Software-defined networking (SDN) makes all of this possible!

But SDNs also come with a downside: If SDN components crash, your network comes to a halt. If SDN components are compromised, all of your network communication may be intercepted and the isolation mechanisms may be bypassed.

In this talk, I will present a vulnerability analysis for one of the major SDN solutions on the market, the Application Centric Infrastructure (ACI) by Cisco. Cisco ACI consists of several Nexus switches in a spine-leaf configuration to provide physical connectivity to endpoints and one or more Application Policy Infrastructure Controller (APIC) to orchestrate the SDN. Several vulnerabilities of the ACI components will be presented, ultimately leading to the scenarios mentioned above.

About Oliver Matula

Oliver Matula is an IT security researcher and practitioner at ERNW and has extensive experience on the offensive side of IT security (e.g. by means of penetration tests and research) and the defensive side (e.g. by means of consulting in large corporate environments).