“We found a number of methods to bypass access restrictions and take control of appliances from the network,” said Mike Cotton, vice president of research and development at Digital Defense.
The researchers found the vulnerabilities in versions 1.3.1 and 1.4.0 of the portal.
Two of the four vulnerabilities are much more critical because they allow an attacker to run arbitrary code with SYSTEM privileges. Doing so would allow them to compromise the host server running the SteelCentral Portal application.
In an alert published today, Digital Defense said the portal’s UploadImageServlet allows for the remote upload of files leading to full system compromise.
“Unauthenticated users can upload arbitrary file content with arbitrary filenames to the vulnerable directory which can be accessed remotely. Leveraging this vulnerability, an unauthenticated user can upload a JSP shell that will run commands with SYSTEM privileges and result in a full compromise of the host running the SteelCentral Portal application,” Digital Defense said in its alert. “Once the host is compromised, all connected SteelCentral Portal data sources can be compromised by obtaining the encrypted administrator credentials and decrypting.”
The H2 Web Console can also be similarly compromised, allowing for a full compromise of the host and connected data sources. The H2 console is meant to be remotely accessible during development without authentication and still available in default installations of the portal. Through this console, it’s possible to connect to the portal’s SQL database with default credentials; while the PostgreSQL database does not allow remote connections, the H2 console bypasses this restriction.
“Once connected to the PostgreSQL database, an attacker can create a new table; insert the file content for a JSP shell into the table, then export the table contents to a file in the root directory of the web application. An attacker can then gain access to a web shell without authentication, and run arbitrary commands with SYSTEM privileges,” Digital Defense said. “Once the host is compromised, all connected SteelCentral Portal data sources can be compromised by obtaining the encrypted administrator credentials that can be easily decrypted.”
The remaining two flaws are information disclosure vulnerabilities in the DataSourceService Servlet and the roleService Web Service, and give an attacker the ability to learn valid admin usernames for those with access to the portal.
Riverbed Technology products are used by more than 90 percent of the Global 500 and according to the vendor’s websites, some SteelCentral customers include TMobile, Michelin, Colgate University and Turner Broadcasting.