Riverbed admins: get busy patching the SteelCentral Portal application.
Digital Defense discovered the bugs, which include two authentication flaws and two information disclosure vulnerabilities.
First, there’s an unauthenticated file upload bug in the portal’s UploadImageServlet, which delivers remote code execution at the system level.
A vulnerable directory can be accessed remotely, meaning the attacker can upload a JSP shell to run commands with system privileges. Once the attacker is in, they can get admin credentials, meaning “all connected SteelCentral Portal data sources” are compromised.
The second bug involves the H2 web console, which is accessible without authentication.
The Digital Defense advisory explains that the service was created as a developer tool, and wasn’t supposed to ship with the SteelCentral Portal.
The H2 console bypasses SteelCentral Portal’s PostgreSQL database access rules by connecting from localhost, and there are “easily obtainable default admin credentials,” so an attacker can create a new table, add a JSP shell to that table, and export the table to the Web application’s root directory. After that, the attacker pwns the host.
Finally, the DataSourceService Servlet and the roleService Web service both have information disclosure vulnerabilities.
The DataSourceService Servlet lets an attacker enumerate connected SteelCentral applications’ IP addresses and the admin account name; roleService spills valid usernames for the SteelCentral Portal. ®