Silver Peak’s Unity Orchestrator, a software-defined WAN (SD-WAN) management platform, suffers from three remote code-execution security bugs that can be chained together to allow network takeover by unauthenticated attackers.
SD-WAN is a cloud-based networking approach used by enterprises and multilocation businesses of all sizes. It allows locations and cloud instances to be connected to each other and to company resources over any type of connectivity. And, it applies software control to managing that process, including the orchestration of resources and nodes. This orchestration is usually centralized via single-view platform – in this case, the Unity Orchestrator, which Silver Peak said has about 2,000 deployments.
According to researchers from Realmode Labs, the three bugs are an authentication bypass, file delete path traversal and an arbitrary SQL query execution, which can be combined in order to execute arbitrary code.
Attackers would first bypass authentication to log onto the platform, then look for a file being run by the web server, the firm noted. Then, they can delete it using the file delete path traversal issue, replacing it with one of their choice using SQL-query execution. Then all that’s needed is to execute the file to run any code or malware that they would like.
“In the best-case scenario, an attacker can use these vulnerabilities to intercept or steer traffic,” said Ariel Tempelhof, co-founder and CEO of Realmode, in a Medium post this week. “However, if an attacker desires, they can instead shutdown a company’s entire international network.”
Bug Details
The issues are present In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+. Orchestrator instances that are hosted by customers – on-premise or in a public cloud provider – are affected, Silver Peak said. Patches are available.
As far as technical specifics, the authentication bypass (CVE-2020–12145) exists in the way Unity handles API calls.
“[Affected platforms use] HTTP headers to authenticate REST API calls from localhost,” according to Silver Peak’s security advisory. “This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost.
Essentially this means that no meaningful authentication is performed when the calls originate from localhost, according to Tempelhof.
“The localhost check is being performed [like this]: request.getBaseUri().getHost().equals(“localhost”),” he explained. “Any requests with ‘localhost’ as their HTTP Host header will satisfy this check. This can be easily forged in remote requests of course.”
The path traversal issue (CVE-2020–12146) meanwhile exists because when a locally hosted file is deleted, no path-traversal check is made.
“An authenticated user can access, modify and delete restricted files on the Orchestrator server using the/debugFiles REST API,” according to Silver Peak.
Tempelhof elaborated: “Some of the API endpoints, which are now accessible thanks to the authentication bypass, allow the ability to upload debug logs to an S3 bucket to be examined by Silver Peak. This mechanism prepares the logs, uploads them and then deletes the locally hosted file. The /gms/rest/debugFiles/delete endpoint performing the deletion does not check for path traversal, creating the ability to delete any file on the system (if permissions allow).”
And the final issue, the SQL-query execution bug (CVE-2020–12147), allows an authenticated user to make unauthorized MySQL queries against the Orchestrator database, using the /sqlExecution REST API, according to Silver Peak. These arbitrary SQL queries are possible thanks to a special API endpoint which had been used for internal testing.
“The /gms/rest/sqlExecution endpoint can be leveraged to an arbitrary file write by utilizing an INTO DUMPFILE clause,” Tempelhof explained, adding that while INTO DUMPFILE does not allow overwriting a file directly, attackers can use the path-traversal bug to first delete the file and then rewrite it.
Realmode reported the vulnerabilities on Aug. 9, and Silver Peak issued patches on Oct. 30. No CVSS severity scores have yet been assigned.
Tempelhof said that his team found similar flaws in three other SD-WAN companies (all now patched), which will be disclosed soon.
“We researched the top four SD-WAN products on the market and found major remote code-execution vulnerabilities,” he wrote. “The vulnerabilities require no authentication whatsoever to exploit.”
Top SD-WAN vendors have had issues in the past. For instance, in March, Cisco Systems fixed three high-severity vulnerabilities that could enable local, authenticated attackers to execute commands with root privileges. A similar bug was found a month later in Cisco’s IOS XE, a Linux-based version of Cisco’s Internetworking Operating System (IOS) used in SD-WAN deployments.
And last December, a critical zero-day bug was found in various versions of its Citrix Application Delivery Controller (ADC) and Citrix Gateway products that allowed appliance takeover and RCE, used in SD-WAN implementations. In-the-wild attacks and public exploits quickly piled up after it was announced.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.