Riverbed SteelCentral NetProfiler and NetExpress Remote Code Execution Vulnerability

A multi-stage remote code execution vulnerability has been identified in Riverbed SteelCentral NetProfiler and NetExpress virtual appliances, both version 10.8.7. The vulnerability arises from a SQL injection flaw in the login API, which can be exploited to create a new user account. This newly created user can then exploit a command injection vulnerability in the licenses endpoint to execute arbitrary commands. Additionally, the 'mazu' user can escalate privileges to root by exploiting an insecure sudoers configuration, allowing SSH key extraction and command chaining. Successful exploitation provides full root access to the virtual appliance.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected virtual appliance.

Reproduction

The vulnerability can be reproduced by first exploiting the SQL injection in the login API to create a malicious user. After successfully logging in as this user, the command injection vulnerability in the licenses endpoint can be exploited to execute arbitrary commands. Finally, the 'mazu' user's privileges can be escalated to root by exploiting the insecure sudoers configuration, allowing SSH key extraction and command chaining.

Remediation

Users can upgrade to Riverbed SteelCentral NetProfiler or NetExpress version 10.29 to address this vulnerability.