Evertz SDVN Authentication Bypass Vulnerability Allowing Unauthenticated Command Injection

An authentication bypass vulnerability has been identified in the Evertz SDVN 3080ipx-10G, which allows remote unauthenticated attackers to execute arbitrary commands with root privileges. This vulnerability arises from flaws in the web management interface, which is accessible on port 80 and built with PHP using the webEASY SDK. The authentication mechanism can be bypassed by sending a crafted request that includes a base64-encoded JSON structure representing an authorized user, enabling access to administrative features. Once authenticated, the command injection vulnerability can be exploited through two specific endpoints that accept unsanitized user-controlled parameters, leading to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary command execution as root on the affected device, potentially disrupting media streaming, modifying streamed content, and altering generated closed captions.

Reproduction

The vulnerability can be reproduced by sending a request to the login.php endpoint with a base64-encoded JSON structure that represents an authorized user with administrative privileges. This bypasses the authentication mechanism. After gaining access, the command injection vulnerability can be exploited by sending requests to the feature-transfer-import.php or feature-transfer-export.php endpoints, including the action parameter with a value that executes a command, such as 'id'.