0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SteelCentral Aternity Agent 11.0.0.120 Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
======================================================================= title: Privilege Escalation Vulnerability product: SteelCentral Aternity Agent vulnerable version: 11.0.0.120 fixed version: CVE number: CVE-2020-15592, CVE-2020-15593 impact: Critical homepage: https://www.riverbed.com/gb/ by: Eneko Cruz Elejalde (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Riverbed Technology, Inc. is an American information technology company. Its products consist of software and hardware focused on network performance monitoring, application performance management, and wide area networks (WANs), icluding SD-WAN and WAN optimization." Source: https://en.wikipedia.org/wiki/Riverbed_Technology Business recommendation: ------------------------ It is recommended to update the SteelCentral Aternity Agent to the latest version available at the time of the update. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: ----------------------------------- 1) Privilege Escalation Vulnerability The SteelCentral Aternity agent uses an executable running as a high privileged Windows service to perform administrative tasks and collect data from other processes. The SteelCentral Aternity Agent distributes functionality among different processes and uses IPC (Inter-Process Communication) primitives to enable the processes to cooperate. Because access security is not properly implemented upon IPC channels, malicious processes can trick application processes to perform arbitrary actions. The SteelCentral Aternity User Experience monitoring solution is therefore prone to a privilege escalation vulnerability that allows a low privileged attacker to gain SYSTEM privileges upon execution of a specially crafted executable file on a target system. This vulnerability has proven exploitable and a reliable exploit has been developed. By using such an exploit an attacker could execute arbitrary code with SYSTEM privileges. An attacker could use SYSTEM privileges to add users, exfiltrate information and create and remove arbitrary files. The following individual vulnerabilities have been discovered and chained together into an exploit (see proof of concept): - Insufficient security on InterProcess Communication channels (CVE-2020-15593) Any user in the system is allowed to access the interprocess communication channel "AternityAgentAssistantIpc", retrieve a serialized object and call object methods remotely. Among others, the methods allow any user to: - Create and/or overwrite arbitrary XML files across the system - Create arbitrary directories across the system - Load arbitrary plugins (i.e. CSharp assemblies) from the "Program Files (x86)/Aternity Information Systems/Assistant/plugins" directory and execute code contained in them () - Directory traversal on plugin load path resolution (CVE-2020-15592) The remotely callable methods from remotable objects available through interprocess communication allow loading of arbitrary plugins (i.e. CSharp Assemblies) from the "Program Files (x86)/Aternity Information Systems/Assistant/plugins" directory, where the name of the plugin is passed as part of an XML-serialized object. However, because the name of the DLL is concatenated with the ".\plugins" string, a directory traversal vulnerability exists in the way plugins are resolved. Combining these two vulnerabilities together, privilege escalation from a low-privileged user to SYSTEM can be achieved. Proof of concept: ----------------- Exploit not provided in this advisory. Vulnerable / tested versions: ----------------------------- The following version has been tested: * SteelCentral Aternity Agent 11.0.0.120 Vendor contact timeline: ------------------------ 2019-12-16: Contacting vendor through support@riverbed.com. Vendor refuses to discuss vulnerability further without serial number and customer name, support ticket closed. 2020-01-29: Client supplies vendor contact. Vendor contacted again and technical details supplied. 2020-01-30: Vendor asks for more details. Further details are provided. 2020-02-06: Vendor provided a remediation procedure to remove vulnerability until permanent fix is provided. 2020-02-19: Contacted vendor and asked for progress on final fix. Vendor is not able to provide a final fix timeline estimation. 2020-05-28: Relaying advisory and SEC Consult responsible disclosure policy to vendor through client. 2020-06-21: Vendor applied vulnerability remediation to all SaaS customers 2020-06-22: SEC Consult and vendor hold meeting to align responsible disclosure timelines. 2020-06-22: Vendor published fix for Agent as version v11.0.3 available to all on-premise customers 2020-06-23: Vendor notified all on-premise customers on procedure to remediation and of new Agent 11.0.3 2020-06-24: SEC Consult and vendor hold second meeting to align responsible disclosure timelines. 2020-07-24: SEC Consult releases advisory. Solution: --------- Update SteelCentral Aternity Agent to version 11.0.3. See following URL: https://aternity.force.com/customersuccess/s/euem-agent Workaround: ----------- Not installing the Recorder and ProductDiagnostics components renders the vulnerability not exploitable. # 0day.today [2024-12-26] #