Avid NEXIS Products Improper Input Validation Vulnerability Allowing Remote Code Execution

A vulnerability allowing remote code execution on the underlying operating system with root permissions has been identified in multiple Avid NEXIS products, including the E-series, F-series, PRO+, and the System Director Appliance (SDA+), all running on Linux. This vulnerability arises from improper input validation in the Avid NEXIS Web Agent, which allows authenticated users to execute system commands directed to specific IP addresses without proper validation. As a result, an authenticated attacker could exploit this flaw to execute arbitrary commands on the target machine.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the affected system with root privileges.

Reproduction

The vulnerability can be reproduced by sending a GET request to the Avid NEXIS Web Agent with the 'host' parameter in the 'ping' or 'tracert' tools. The request must include a valid 'avidagent' cookie and a 'userveragenttoken' cookie, which are used for authentication. The 'host' parameter can be manipulated to include command injection payloads, such as adding a semicolon followed by a command, like 'id', to execute commands on the server.

Remediation

Users are advised to upgrade to Avid NEXIS version 2024.6.0, available for download since June 18, 2024. If an immediate upgrade is not possible, Avid recommends configuring a firewall rule to whitelist access to the Storage Manager Agent on port 5015.