SD-WAN company Peplink has patched its load-balancing routers against vulnerabilities turned up by a German pentest company.
The bugs discovered by X41 Security centre, as is so often the case, around the products' Web admin interface, with seven individual bugs reported (CVE-2017-8835 to CVE-2017-8841).
The vulnerabilities include a critical SQL injection attack via the
bauth cookie; a lack of cross-site request forgery protection; clear text password storage; two cross-site scripting bugs; a file deletion vulnerability; and an information disclosure bug.
The SQL injection bug is the worst: it allows an attacker to access the SQLite session containing user and session variables:
“By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request.”
X-41 explains it first got interested in the Peplink kit when its employees Eric Sesterhenn and Abovo-IT's Claus Overbeck saw an Internet-exposed Web interface.
From the exposed Web interface, the pair identified the XSS and SQL injection bugs, and set to work examining the Peplink firmware.
Peplink has posted an updated binary here. ®