Riverbed SteelHead VCX Path Traversal Vulnerability Allowing Authenticated Arbitrary File Read

A path traversal vulnerability has been identified in Riverbed SteelHead VCX appliances, specifically in the VCX255U model running version 9.6.0a. This vulnerability arises from inadequate input validation in the log filtering feature available through the management web interface. An authenticated attacker can exploit this issue by sending crafted filter expressions to the log_filter endpoint via the filterStr parameter. The backend parser processes this input, allowing the execution of file expansion syntax, which can be used to access arbitrary system files through the log viewing interface.

Impact

Exploitation of this vulnerability allows authenticated users to read arbitrary files on the system, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, log into the Riverbed SteelHead VCX appliance with an account that has access to the management web interface. Navigate to the log filtering feature and submit a filter expression that includes file expansion syntax targeting a sensitive file, such as '/etc/passwd'. The crafted input will be processed by the backend parser, and the contents of the specified file will be returned via the log viewing interface.