A10 Networks AX Loadbalancer Path Traversal Vulnerability

A path traversal vulnerability has been identified in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. This vulnerability arises from improper input validation in the filename parameter of the /xml/downloads endpoint, allowing an unauthenticated attacker to send crafted HTTP requests that traverse directories and access arbitrary files outside the intended directory. Exploitation of this vulnerability can lead to unauthorized disclosure of sensitive information, such as SSL certificates and private keys, as well as unintended file deletion, since files retrieved through the vulnerable endpoint are deleted from the system after being accessed.

Impact

Successful exploitation allows for directory traversal, enabling the attacker to read files outside the intended directory with root privileges. This could result in unauthorized access to sensitive information, such as SSL certificates and private keys, and could also lead to the deletion of files from the AX Loadbalancer device.

Reproduction

To reproduce this vulnerability, send a GET request to the '/xml/downloads' endpoint with a crafted filename parameter that includes directory traversal sequences. The request can be made using a web browser, curl, or a similar tool. Ensure that the 'CONFIRM_DELETE' option is set to 'true' if using the Metasploit module, as downloading a file will delete it from the device.

Remediation

Upgrade to a version later than 2.7.0 or 2.6.1-GR1-P5.