Riverbed's NetProfiler, NetExpress virty appliances patched
An entomology of bugs
Riverbed has pushed out an update to virtual security appliances, after Security-Assesment warned it they had multiple vulnerabilities.
The report details SQL injection, command injection, privilege escalation, local file inclusion, cross-site scripting, account hijacks and hard-coded credentials affecting two Riverbed virtual appliances: the SteelCentral NetProfiler, and NetExpress.
The bugs can be “chained together to obtain unauthenticated remote code execution as the root user,” the advisory states.
Riverbed pushed out a patch earlier this month, to version 10.9.0 for both NetProfiler and NetExpress, here.
Here's the TL;dr part
The SQL injection vulnerability allows an attacker to insert a user account without authentication, as a POST in the system's REST API, which is exposed from the main Web GUI login screen.
There are other post-authentication SQL injection vulnerabilities; and Security-Assessment's proof-of-concept shows how to exploit these to write malicious PHP and obtain remote code execution.
The command injection vulnerabilities, also in the appliances' Web interfaces, exist because user input is insufficiently sanitised. An attacker can use these to spawn a shell for arbitrary code execution.
There's a privilege escalation bug in the superuser file (ie, /etc/sudoers), because the “apache” user isn't sufficiently locked down.
The local file inclusion bug exists in a PHP class that doesn't sanitise the GET parameter “class”.
- There are multiple cross-site scripting bugs in the systems' Web interfaces;
- Accounts can be hijacked because system credentials are exposed in the password reset page source code; and
- The system accounts “mazu”, “dhcp” and “root” all use “bb!nmp4y” as their default password. ®