Infoblox 6.8.2.11 - OS Command Injection / Weak MySQL Password Vulnerability

Product: Network Automation, licensed as:
•         NetMRI
•         Switch Port Manager
•         Automation Change Manager
•         Security Device Controller
 
Vendor: Infoblox
Vulnerable Version(s): 6.4.X.X-6.8.4.X
Tested Version: 6.8.2.11
 
Vendor Notification: May 12th, 2014
Vendor Patch Availability to Customers: May 16th, 2014
Public Disclosure: July 9th, 2014
 
Vulnerability Type: OS Command Injection [CWE-78]
CVE Reference: CVE-2014-3418
Risk Level: High
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Solution Available
 
Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )
 
------------------------------------------------------------------------
-----------------------
 
Advisory Details:
 
Depth Security discovered a vulnerability in the Infoblox Network Automation management web interface. This attack does not require authentication of any kind.
 
1) OS Command Injection in Infoblox Network Automation Products: CVE-2014-3418
 
The vulnerability exists due to insufficient sanitization of user-supplied data in in skipjackUsername POST parameter. A remote attacker can inject operating system commands as the root user, and completely compromise the operating system.
 
The following is the relevant portion of the multipart/form-data POST request to netmri/config/userAdmin/login.tdf
 
Content-Disposition: form-data; name="skipjackUsername"
 
admin`ping -n 20 127.0.0.1`

Solution:
 
Infoblox immediately released a hotfix to remediate this vulnerability on existing installations (v6.X-NETMRI-20710.gpg).
The flaw was corrected in the 6.8.5 release (created expressly for dealing with this issue), and that release has been put into manufacturing for new appliances.
 
------------------------------------------------------------------------
-----------------------

2) Weak password on local MySQL database: CVE-2014-3419

The vulnerability exists due to a weak password used for local MySQL access

An authenticated user with shell access to the operating system can access the contents of any database in the local MySQL instance using the local MySQL client (“mysql –u root –p”) with the following credentials:

Username: root
Password: root

Sensitive information such as SNMP community names and network device credentials are encrypted inside of the database.
------------------------------------------------------------------------
-----------------------

Solution:

The vendor has released a hotfix to remediate this vulnerability on existing installations. The flaw was corrected in the 6.8.5 release.
 
------------------------------------------------------------------------
-----------------------
 
Proof of Concept:
 
In addition to manual exploitation via the above mentioned vector, proof of concept is provided in the form of a module for the metasploit framework.
 
https://github.com/depthsecurity/NetMRI-2014-3418

#  0day.today [2018-01-05]  #