Array Networks vAPV and vxAG Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Array Networks vAPV version 8.3.2.17 and vxAG version 9.2.0.34 appliances. This vulnerability arises from a combination of hardcoded SSH credentials or a private key, and insecure permissions on a startup script. The appliances come with default SSH login credentials or a hardcoded DSA private key, enabling remote authentication with limited privileges. Once logged in, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. This script is executed with elevated privileges through a backend binary, allowing the execution of the attacker's payload as root and resulting in full system compromise.

Impact

Exploitation of this vulnerability leads to unauthorized root access on the affected appliance, allowing for complete control over the system.

Reproduction

The vulnerability can be reproduced by logging into the affected appliance via SSH using the hardcoded private key associated with the 'sync' user. After gaining access, the 'sync' user can write arbitrary commands to the /ca/bin/monitor.sh script, which is executed with root privileges. This can be done by using the /ca/bin/backend tool to turn on debug monitoring, which triggers the execution of the modified script as root.

Remediation

Users are advised to upgrade to newer versions of the software. Additionally, changing default passwords and SSH keys, and modifying the permissions of world-writable files can help mitigate the vulnerability.