This is umm interesting – a chained attack could ‘shut down a company’s entire international network’
Silver Peak’s Unity Orchestrator, a centralized SD-WAN management platform, contained three security vulnerabilities that, chained together, could result in pre-authenticated remote code authentication (RCE).
Users have been urged to upgrade their systems after Silver Peak patched the authentication bypass, file delete path traversal, and arbitrary SQL query execution flaws.
Combining these flaws, security researchers from Realmode Labs found that attackers could run arbitrary code by finding a file being run by the web server and deleting it using the file delete path traversal issue, then recreating it through the SQL query execution endpoint, which triggered file execution.
“In the best case scenario, an attacker can use these vulnerabilities to intercept or steer traffic,” said Ariel Tempelhof, co-founder and CEO of the Tel Aviv-based cybersecurity firm, in a Medium post outlining the findings.
“However, if an attacker desires, they can instead shut down a company’s entire international network.”
This demonstrates the security risks posed by the “the centralized management paradigm”, Tempelhof and Yaar Hahn, co-researchers on the project, told The Daily Swig.
Silver Peak says there are currently around 2,000 deployments of Unity Orchestrator.
The findings are the first part of a four-part series of blog posts disclosing chained RCE exploits – all remedied – affecting leading SD-WAN products.
SD-WAN solutions simplify and optimize the management of WANs by decoupling networking hardware from its control mechanism.
The flaws
The researchers alighted on the authentication bypass after noticing “special treatment for API calls originating from localhost where no authentication is being performed”.
Then they discovered that requests with localhost as their HTTP Host header would satisfy this “easily forged” localhost check:
request.getBaseUri().getHost().equals(“localhost”)This should have been “discovered and neutralized” during a pre-production security code review, said Tempelhof and Hahn.
Now accessible for remote attackers, certain API endpoints allowed the uploading of debug logs to an S3 bucket.
“This mechanism prepares the logs, uploads them and then deletes the locally hosted file,” said Tempelhof.
“The /gms/rest/debugFiles/delete endpoint performing the deletion does not check for path traversal, creating the ability to delete any file on the system (if permissions allow).”
Finally, an API endpoint for running arbitrary SQL queries was accessible only by localhost and could be readily executed remotely.
“The /gms/rest/sqlExecution endpoint can be leveraged to an arbitrary file write by utilizing an INTO DUMPFILE clause” that bars file overwriting, but the file delete path traversal bug can be exploited to delete then rewrite the file, said Tempelhof.
Remediation
Silver Peak urges users to upgrade to update their Orchestrator builds in its advisories for the authentication bypass (PDF), file delete path traversal (PDF), and arbitrary SQL query execution (PDF) flaws.
The California-based company, which was recently acquired by Hewlett-Packard Enterprise, was alerted to the vulnerabilities on August 9, and issued software updates addressing the flaws on October 30.
“We were very impressed by the Silver Peak SIRT team,” said the researchers. “They were very responsive and cooperative and were the first to fix the issues [of all four vendors].”
A Silver Peak spokesperson told The Daily Swig: “Silver Peak is committed to providing a high-level of security for our enterprise and service provider customers.
“We treat any reported vulnerability notifications seriously and we are committed to resolving any security concerns as quickly as possible.”
Want to know more about HTTP host header attacks?
