Digital Defense is publishing multiple application vulnerabilities in the Riverbed SteelCentral portal application today following the client notification by Riverbed Technology. Digital Defense’s Vulnerability Research Team identified the security issues through vulnerability scanning, and brought the flaws to the attention of Riverbed Technology in January 2017 following discovery. Riverbed Technology worked in collaboration with Digital Defense researchers to verify and resolve the fixes for the security issues.
Digital Defense clients currently using the Frontline Vulnerability Manager™ platform can sweep for the presence of the flaws by performing a vulnerability assessment scan or utilizing the scan policy created for these flaws.
Riverbed Technology has addressed the flaws. Contact Riverbed support through the support portal for more information.
Details of the vulnerabilities:
Vendor: Riverbed Technology
Product: SteelCentral Portal
Versions tested: 1.3.1 and 1.4.0
Product link: https://www.riverbed.com/products/steelcentral/steelcentral-portal.html
Vulnerability: Unauthenticated File Upload Remote Code Execution in UploadImageServlet
Impact: Remote code execution as SYSTEM, full host compromise. Full compromise of all connected SteelCentral data sources.
Details: Unauthenticated users can upload arbitrary file content with arbitrary filenames to the vulnerable directory which can be accessed remotely. Leveraging this vulnerability, an unauthenticated user can upload a JSP shell that will run commands with SYSTEM privileges and result in a full compromise of the host running the SteelCentral Portal application. Once the host is compromised, all connected SteelCentral Portal data sources can be compromised by obtaining the encrypted administrator credentials and decrypting.
Vulnerability: Unauthenticated Remote Code Execution via H2 Web Console
Impact: Remote code execution as SYSTEM, full host compromise. Full compromise of all connected SteelCentral data sources.
Details: No authentication is required to connect to the H2 web console, a service intended to be remotely accessible during development, but is still available in the default installation of the SteelCentral Portal. The H2 web console provides a way to easily connect to various types of databases. Using the console, it’s possible to establish a connection to the SteelCentral Portal PostgreSQL database using easily obtainable default admin credentials. By default, the PostgreSQL database doesn’t allow remote connections, however, the H2 web console bypasses this restriction by connecting from localhost. Once connected to the PostgreSQL database, an attacker can create a new table; insert the file content for a JSP shell into the table, then export the table contents to a file in the root directory of the web application. An attacker can then gain access to a web shell without authentication, and run arbitrary commands with SYSTEM privileges. Once the host is compromised, all connected SteelCentral Portal data sources can be compromised by obtaining the encrypted administrator credentials that can be easily decrypted.
Vulnerability: Information Disclosure via DataSourceService Servlet
Impact: Unauthenticated users can enumerate the IP addresses of connected SteelCentral applications and the username of the privileged user that is used to connect to the remote SteelCentral application.
Details: Authentication is not required to exploit this vulnerability. The main SteelCentral Portal web application allows users to configure other SteelCentral products, such as SteelCentral NetProfiler or AppInternals, as data sources in the interface. Most of the requests that can be made to the DataSourceService servlet require authentication, however, the “listDataSources” and “getDataSourceConfig” methods do not check that the request was made by an authenticated user. This can be leveraged to obtain the IP addresses of SteelCentral applications that are connected to SteelCentral Portal along with the username of the privileged user that is used to connect to the remote SteelCentral application.
Vulnerability: Information Disclosure via roleService Web Service
Impact: Unauthenticated users can enumerate valid usernames that can be used in a brute force attack against the SteelCentral Portal web interface.
Details: Authentication is not required to exploit this vulnerability. SteelCentral Portal installs an Authentication Service that comes with a web interface and listens on port 8222. This service can be accessed and used to enumerate valid usernames for the SteelCentral Portal application. Additionally, since this service enumerates users by role, it can also be used to discover all the valid users with administrator privileges.