CVE-2019-16100

Vulnerability

Silver Peak EdgeConnect SD-WAN appliances running versions before 8.1.7.x are vulnerable to a denial-of-service condition via the web management interface. By sending deliberately slow HTTP requests from a single remote source, an attacker can cause the web interface to become unresponsive, effectively blocking legitimate administrative access.

Exploitation

An attacker needs only network access to the EdgeConnect's web management interface. No authentication is required. The attacker sends a sustained stream of slow client-side HTTP traffic from a single source (e.g., using a low-and-slow HTTP attack technique). The server's inability to properly handle prolonged, incomplete requests leads to resource exhaustion.

Impact

Successful exploitation causes the web management interface to become unresponsive, preventing administrators from accessing the device through the web UI. This denial-of-service condition disrupts management operations but does not affect data-plane forwarding functions. The attacker does not gain access to the device or data; the impact is limited to availability of the management interface.

Mitigation

Silver Peak released a fix in version 8.1.7.x and later. Users should upgrade to a version containing the patch. According to the reference [1], the vulnerability was disclosed in a report covering multiple issues and was addressed in that release. No workarounds are described in the available references; restricting network access to the web management interface (e.g., via ACLs or firewall rules) can reduce exposure.