Versa Concerto SD-WAN Orchestration Platform Authentication Bypass and Remote Code Execution Vulnerability

A vulnerability in the Versa Concerto SD-WAN orchestration platform allows for authentication bypass and remote code execution (RCE). This issue arises from URL decoding inconsistencies in the Traefik reverse proxy configuration, which can be exploited to access administrative endpoints. The vulnerability is present in Versa Concerto versions 12.1.2 through 12.2.0, with additional versions potentially affected.

Impact

Exploitation of this vulnerability leads to unauthorized access to administrative endpoints and allows for remote code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the '/portalapi/v1/users/username/admin' endpoint with a URL-encoded semicolon. This bypasses authentication checks due to the Traefik reverse proxy's handling of the 'X-Real-IP' header. Once authenticated, access to the '/portalapi/v1/package/spack/upload' endpoint allows for arbitrary file writes. By uploading a malicious file and manipulating the upload process to create a race condition, remote code execution can be achieved.

Remediation

Users are advised to update to the latest version of Versa Concerto, as patches for this vulnerability have been released. Until then, temporary measures can be implemented at the reverse proxy or Web Application Firewall (WAF) levels to block requests containing semicolons in the URL paths or to drop requests with 'Connection' headers that include 'X-Real-Ip'.