Evertz SDVN Web Management Interface Unauthenticated Command Injection Vulnerability

A vulnerability allowing arbitrary command injection has been identified in the Evertz SDVN 3080ipx-10G switch, as well as other products using the webEASY SDK. This vulnerability exists in the web management interface, which is accessible on port 80. The issue arises from two endpoints, 'feature-transfer-import.php' and 'feature-transfer-export.php', both of which accept user-controlled parameters without proper sanitization. Exploitation of this vulnerability is made easier by an authentication bypass flaw, allowing remote unauthenticated attackers to execute commands with root privileges on the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root, potentially disrupting media streaming, modifying streamed content, and altering generated closed captions.

Reproduction

The vulnerability can be reproduced by sending a request to the 'feature-transfer-export.php' endpoint with the 'action' parameter set to a command, such as 'id'. The 'filename' and 'slot' parameters can be left empty. This injection is possible because the endpoint does not sanitize the input before executing the command. Additionally, the authentication bypass can be achieved by sending a request with a base64-encoded JSON structure that represents an admin user, bypassing the need for valid credentials.