SEC Consult Vulnerability Lab Security Advisory < 20200724-0 >
=======================================================================
title: Privilege Escalation Vulnerability
product: SteelCentral Aternity Agent
vulnerable version: 11.0.0.120
fixed version:
CVE number: CVE-2020-15592, CVE-2020-15593
impact: Critical
homepage: https://www.riverbed.com/gb/
found: 2019-12-13
by: Eneko Cruz Elejalde (Office Zurich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Riverbed Technology, Inc. is an American information technology company. Its
products consist of software and hardware focused on network performance
monitoring, application performance management, and wide area networks (WANs),
icluding SD-WAN and WAN optimization."
Source: https://en.wikipedia.org/wiki/Riverbed_Technology
Business recommendation:
------------------------
It is recommended to update the SteelCentral Aternity Agent to the latest
version available at the time of the update.
SEC Consult recommends to perform a thorough security review conducted
by security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation Vulnerability
The SteelCentral Aternity agent uses an executable running as a high privileged
Windows service to perform administrative tasks and collect data from other
processes. The SteelCentral Aternity Agent distributes functionality among
different processes and uses IPC (Inter-Process Communication) primitives to
enable the processes to cooperate. Because access security is not properly
implemented upon IPC channels, malicious processes can trick application
processes to perform arbitrary actions.
The SteelCentral Aternity User Experience monitoring solution is therefore
prone to a privilege escalation vulnerability that allows a low privileged
attacker to gain SYSTEM privileges upon execution of a specially crafted
executable file on a target system. This vulnerability has proven exploitable
and a reliable exploit has been developed.
By using such an exploit an attacker could execute arbitrary code with SYSTEM
privileges. An attacker could use SYSTEM privileges to add users, exfiltrate
information and create and remove arbitrary files.
The following individual vulnerabilities have been discovered and chained
together into an exploit (see proof of concept):
- Insufficient security on InterProcess Communication channels (CVE-2020-15593)
Any user in the system is allowed to access the interprocess communication
channel "AternityAgentAssistantIpc", retrieve a serialized object and call
object
methods remotely. Among others, the methods allow any user to:
- Create and/or overwrite arbitrary XML files across the system
- Create arbitrary directories across the system
- Load arbitrary plugins (i.e. CSharp assemblies) from the
"Program Files (x86)/Aternity Information Systems/Assistant/plugins"
directory and execute code contained in them ()
- Directory traversal on plugin load path resolution (CVE-2020-15592)
The remotely callable methods from remotable objects available through
interprocess communication allow loading of arbitrary plugins (i.e. CSharp
Assemblies) from the "Program Files (x86)/Aternity Information
Systems/Assistant/plugins"
directory, where the name of the plugin is passed as part of an
XML-serialized object. However, because the name of the DLL is concatenated
with the ".\plugins" string, a directory traversal vulnerability exists in
the way plugins are resolved.
Combining these two vulnerabilities together, privilege escalation from a
low-privileged user to SYSTEM can be achieved.
Proof of concept:
-----------------
Exploit not provided in this advisory.
Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* SteelCentral Aternity Agent 11.0.0.120
Vendor contact timeline:
------------------------
2019-12-16: Contacting vendor through supp...@riverbed.com. Vendor refuses to
discuss vulnerability further without serial number and customer
name, support ticket closed.
2020-01-29: Client supplies vendor contact. Vendor contacted again and technical
details supplied.
2020-01-30: Vendor asks for more details. Further details are provided.
2020-02-06: Vendor provided a remediation procedure to remove vulnerability
until
permanent fix is provided.
2020-02-19: Contacted vendor and asked for progress on final fix. Vendor is not
able to provide a final fix timeline estimation.
2020-05-28: Relaying advisory and SEC Consult responsible disclosure policy to
vendor through client.
2020-06-21: Vendor applied vulnerability remediation to all SaaS customers
2020-06-22: SEC Consult and vendor hold meeting to align responsible disclosure
timelines.
2020-06-22: Vendor published fix for Agent as version v11.0.3 available to all
on-premise customers
2020-06-23: Vendor notified all on-premise customers on procedure to
remediation and
of new Agent 11.0.3
2020-06-24: SEC Consult and vendor hold second meeting to align responsible
disclosure
timelines.
2020-07-24: SEC Consult releases advisory.
Solution:
---------
Update SteelCentral Aternity Agent to version 11.0.3. See following URL:
https://aternity.force.com/customersuccess/s/euem-agent
Workaround:
-----------
Not installing the Recorder and ProductDiagnostics components renders the
vulnerability not exploitable.
Aternity has also published a workaround:
https://aternity.force.com/customersuccess/s/article/Recorder-tool-security-
notification-mitigation-steps-for-On-Prem
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Eneko Cruz Elejalde / @2020
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
