Webroot BrightCloud SDK HTTP connection unsafe defaults vulnerability

Summary

An exploitable vulnerability exists in the HTTP client functionality of the Webroot BrightCloud SDK. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to exploit this vulnerability.

Tested Versions

Webroot BrightCloud SDK

Product URLs

https://www.brightcloud.com/

CVSSv3 Score

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-295: Improper Certificate Validation

Details

BrightCloud provides an API service that allows its clients to access websites’ classification and reputation data - their service can be queried to retrieve the category for the content of a specific URL and its reputation index. BrightCloud also provides an SDK to access their web services API that can be used, for example, by appliances that want to restrict access to non-malicious sites.

A binary using this SDK, called webroot.so, was found to be inside the CUJO Smart Firewall — an internet-of-things device that monitors wireless internet in the user’s home — running version 7003, and is used to detect and deny access to potentially malicious websites. Specifically, in the device that we tested, CUJO accesses the BrightCloud API at the URL bcap15.brightcloud.com over a plain HTTP connection.

While the following analysis is written in the context of the CUJO Smart Firewall, this advisory does apply to the Webroot BrightCloud SDK itself.

The bc_initialize function is called before performing any communication with remote BrightCloud servers, in order to configure the HTTP client.

The function expects a structure as parameter containing, among others:

• Device: in our CUJO device, this field contains the string “NextGen_FW_1”
• OemId: in our CUJO device, this field contains the string “Cujo”
• UID: in our CUJO device, this field contains 32-bytes hex string
• Server: in our CUJO device, this field contains the string “bcap15.brightcloud.com”

When specifying a Server string without protocol, the SDK defaults to using the insecure HTTP protocol to establish the remote connection to the specified server.

An attacker can exploit this behavior by performing a man-in-the-middle attack that could lead to the theft of credentials, the altering BrightCloud queries transparently, or even the exploitation of vulnerabilities in the underlying SDK.

As an example of this last scenario, this vulnerability can be used together with TALOS-2018-0683 in order to achieve remote code execution inside an appliance that is using Webroot BrightCloud SDK, such as the CUJO Smart Firewall.

Timeline

2018-10-10 - Vendor Disclosure
2018-10-17 - Vendor Patched
2018-12-17 - Public Release