Cisco SD-WAN v20.4.2.1 uses an old version of SSH (OpenSSH_7.6p1) that is susceptible to the “SSHtranger Things” attack. If a victim tries to connect to a malicious/compromised SSH server this attack may be used to write/overwrite sensitive files.
By overwriting sensitive script files (e.g. “.bashrc”) this may allow an unauthenticated attacker to obtain Remote Code Execution (RCE) on the victim’s system.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Successful SSH MITM
OR - Social engineering to convince a legitimate SD-WAN user to connect to a malicious SSH server
More details and the exploitation process can be found in this PDF.