Chained vulnerabilities in Aruba Networks firmware allowed remote code execution on routers
Ben Dickson July 20, 2021 at 11:06 UTC
Updated: July 20, 2021 11:32 UTC
Office pen test leads to discovery of several bugs in the Enterprise Networking Kit
Multiple vulnerabilities in Aruba Networks routers allowed attackers to carry out a range of malicious activities, including remote code execution (RCE), security researchers have found.
Aleph Security’s Itai Greenhut and Gal Zror found a total of eight vulnerabilities in Aruba Instant, the software that allows administrators to configure settings for Aruba routers.
“We have Aruba routers that provide us with web access in our office,” Greenhut said. The daily sip.
“Our research started because we were working from home and wanted to research our own WiFi equipment and see how secure we are.
“We also challenged ourselves and our end goal in this project was to get an unauthenticated RCE on our office router. “
Route to resume
Aruba routers are configured through a restricted command line interface. The router also has an associated CGI portal that allows users to send commands to the CLI through a web interface.
Researchers discovered a command injection vulnerability in one of the CLI commands that allowed them to create directories and upload files to the server. They were then able to exploit the same vulnerability through the web interface query string that communicates with the CLI module.
Learn more about the latest security research news
Then they found a way to upload an arbitrary file to the directory hosting the CGI application. They did this by using the server logging mechanism and directory traversal patterns to create a malicious file in the web server’s root directory.
Finally, they used a bug in the server’s process application programming interface (PAPI) to force the router to expose the contents of its configuration file. In some of the older firmware versions, the configuration file contains the clear text password for the server administrator.
In newer versions, the password is hashed.
“In the minimal case, the stored password is hashed and in order to continue the attack, the attacker must provide credentials or decrypt this hash,” Greenhut said.
“The worst case is that the router still has the password stored in the clear and after extracting the credentials, the attacker can continue the attack as usual.”
With this information, an attacker could exploit the chain of vulnerabilities to gain root shell access to Aruba routers.
During their research, Greenhut and Zror discovered other vulnerabilities, including an argument injection vulnerability in the CLI library and a cross-site scripting bug in the Captive Portal, the web page displayed to users when they first logged in. connection to the router.
“The exploit does not require physical access to the router, it can be exploited by an attacker on the same network without any physical access,” Greenhut said.
ADVISED RCE Vulnerability in Cloudflare CDN Could Have Allow Full Website Compromise
“If the router exposes its web panel to the Internet, this exploit can also attack routers from the WAN.”
Greenhut also pointed out that a quick query to device search engines shows thousands of routers exposed.
As Aruba is a leading supplier of equipment for corporate clients such as airports, hospitals, and universities, the implications of having vulnerable routers in public places and accessible via the Internet can be critical.
According to an advice Aruba which details the vulnerabilities, the bugs were fixed earlier this year.
DON’T FORGET TO READ US Authorities Offer $ 10 Million for Information on Nation-State Cyber Attacks