Office pen test leads to discovery of multiple bugs in enterprise networking kit

Chained vulnerabilities in Aruba Networks firmware allowed remote code execution on routers

Multiple vulnerabilities in routers from Aruba Networks allowed attackers to conduct a series of malicious activities including remote code execution (RCE), security researchers have found.

Itai Greenhut and Gal Zror from Aleph Security found a total of eight vulnerabilities in Aruba Instant, the software that allows administrators to configure the settings of Aruba routers.

“We have Aruba routers providing us web access in our office,” Greenhut told The Daily Swig.

“Our research started because we were working from home and wanted to research our own WiFi equipment and see how secure we are.

“We also challenged ourselves and our final goal in this project was to get unauthenticated RCE on our office router.”

Route to takeover

Aruba routers are configured through a restricted command-line interface. The router also has an associated CGI portal that allows users to send commands to the CLI through a web interface.

The researchers found a command injection vulnerability in one of the CLI commands that allowed them to create directories and download files to the server. They were then able to exploit the same vulnerability through the query string of the web interface that communicates with the CLI module.

Read more of the latest security research news

Next, they found a way to upload an arbitrary file to the directory hosting the CGI application. For this, they used the server’s logging mechanism and directory traversal patterns to create a malicious file in the web server’s root directory.

Finally, they used a bug in the server’s Process Application Programming Interface (PAPI) to force the router to expose the contents of its configuration file. In some of the older versions of the firmware, the configuration file contains the plaintext password of the server administrator.

In newer versions, the password is hashed.

“In the minimal case the password stored hashed and to continue the attack the attacker has to provide credentials or crack this hash,” Greenhut said.

“The worst-case scenario is that the router still has the password stored in plaintext and after extraction of the credentials, the attacker can continue the attack as usual.”

Chaining the attack

With this information, an attacker could exploit the chain of vulnerabilities to gain root shell access to Aruba routers.

During their research, Greenhut and Zror found other vulnerabilities, including an argument injection vulnerability in the CLI library and a cross-site scripting bug in the captive portal, the web page displayed to users when they first connect to the router.

“The exploit doesn’t need physical access to the router, it can be exploited by an attacker on the same network without any physical access,” Greenhut said.

RECOMMENDED RCE vulnerability in Cloudflare CDN could have allowed complete compromise of websites

“If the router exposing its web panel to the internet this exploit can also attack routers from WAN.”

Greenhut also pointed out that a quick query to device search engines shows thousands of exposed routers.

With Aruba being a major supplier of gear for enterprise customers such as airports, hospitals, and universities, the implications of having vulnerable routers in public locations and accessible through the internet can be critical.

According to an advisory from Aruba that details the vulnerabilities, the bugs were fixed earlier this year.

DON’T FORGET TO READ US authorities are offering $10m for information on nation-state cyber-attacks