Researchers at vulnerability management services provider Digital Defense have identified four security holes in Riverbed SteelCentral, a popular application and network performance monitoring product.
The flaws affect the SteelCentral Portal application and they can be exploited by unauthenticated attackers for remote command execution and to obtain user information. The vulnerabilities were reported to Riverbed Technology in January and they were later patched by the vendor.
According to Digital Defense, there are two remote command execution vulnerabilities that can be exploited to take full control of the host running the SteelCentral Portal application, and from there hijack all connected data sources using administrator credentials.
One of the flaws, related to the UploadImageServlet function, can be exploited to upload arbitrary files to a directory that is remotely accessible. An attacker can upload a JavaServer Page (JSP) shell that allows execution of arbitrary commands with SYSTEM privileges.
The second RCE weakness is related to the H2 web console, a service that can be accessed remotely without authentication. In its advisory, Digital Defense said the H2 console is designed for access during development, but it’s still present in the default installation of the SteelCentral Portal.
Researchers determined that the console can be used to access the Portal’s PostgreSQL database – this database normally doesn’t allow remote connections, but the H2 console bypasses the restriction by connecting from localhost.
“Once connected to the PostgreSQL database, an attacker can create a new table; insert the file content for a JSP shell into the table, then export the table contents to a file in the root directory of the web application. An attacker can then gain access to a web shell without authentication, and run arbitrary commands with SYSTEM privileges,” Digital Defense said in its advisory.
Experts have also identified two information disclosure flaws that can be exploited by unauthenticated attackers to enumerate usernames. Once the usernames are obtained, a hacker can launch a brute-force attack against the SteelCentral Portal interface.
Researchers managed to exploit the vulnerabilities in versions 1.3.1 and 1.4.0. Riverbed customers can obtain information on the patches through the company’s support portal.