San Antonio, TX – April 10, 2017 – Digital Defense, Inc., a leading provider of Vulnerability Management as a Service (VMaaS™), disclosed the discovery of four zero-day vulnerability threats found in the Riverbed Technology SteelCentral Portal version 1.3.1 and 1.4.0. The vulnerabilities are critical in nature due to the ability of a cybercriminal to exploit these issues to gain access to the performance monitoring platform and retrieve confidential data. Riverbed has collaborated closely with Digital Defense and addressed these vulnerabilities.
About the Vulnerabilities
Digital Defense Vulnerability Research Team (VRT) identified previously unknown vulnerabilities through security vulnerability detection, while developing new audit modules for its patented vulnerability scanning technology.
Two unauthenticated remote code execution vulnerabilities would allow an attacker to run arbitrary code with SYSTEM privileges and fully compromise the host running the SteelCentral Portal application. Compromise of the portal application would allow for credentials of all connected SteelCentral data sources to be recovered and leveraged to further compromise the connected data sources.
Additionally, two information disclosure flaws would allow unauthenticated user enumeration, disclosing valid usernames for the Riverbed SteelCentral Portal application and its connected data sources.
Riverbed has addressed the vulnerabilities. For more information, customers may contact Riverbed customer support staff through their support portal.
Details surrounding each of the four vulnerabilities are available on the Digital Defense website. Additionally, the company’s patented scanning technology can detect all of these vulnerabilities with explicit network tests for the affected network services.
Digital Defense Research Methodology and Practices
The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT, when coupled with the company’s next generation cloud-based vulnerability manager platform, Frontline™ Vulnerability Manager, enables early vulnerability detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.
“Security flaws in the application-layer of critical infrastructure remain a blind spot for both vendors and the organizations they serve”, said Mike Cotton, Vice President of Research and Development at Digital Defense. “We applaud Riverbed for working with us to pinpoint and eliminate these flaws from their platform.”
About Digital Defense
Founded in 1999, Digital Defense, Inc. is a trusted provider of managed security risk assessment solutions, protecting billions of dollars in assets for clients around the globe. This includes highly regulated industries such as healthcare, financial, and retail, as well as those entrusted with sensitive data such as law firms and energy companies. Digital Defense’s unique Vulnerability Management as a Service (VMaaS) model delivers consistently accurate vulnerability scanning and penetration testing, while its security awareness training promotes employees’ security-minded behavior. Digital Defense security solutions are highly-regarded by industry experts, as illustrated by the company’s designation as Best Scan Engine by Frost & Sullivan, top 20 ranking (#16) in Cybersecurity Ventures’ list of the World’s 500 Hottest Cybersecurity Companies, as well as inclusion in CSO Outlook’s Top 10 Network Security Companies, and CIO Review’s 20 Most Promising Cyber Security Solutions.
# # #
Michael Becce, MRB Public Relations
Meg Grant, SVP, Marketing
Digital Defense, Inc.
Digital Defense and the Shield Logo are Registered Service Marks of Digital Defense, Inc. All other trademarks are the property of their respective owners.