Research concludes four-part series unearthing RCE chains in ‘single point of failure’ SD-WAN products

VMware patches security flaws in VMware SD-WAN Orchestrator that could disrupt global enterprise networks

VMware has fixed vulnerabilities in its VeloCloud SD-WAN Orchestrator that, chained together, can lead to  unauthenticated remote code execution (RCE).

Researchers from Realmode Labs combined authentication bypass, SQL injection, and directory traversal vulnerabilities to leave arbitrary JavaScript running in node.js.

The revelation marks the conclusion of a blog series documenting potentially calamitous RCE chains in four SD-WAN products from major vendors.

Centrally controlling an enterprise’s network topology, SD-WAN (Software-defined Wide Area Network) products represent “a crucial single point of failure from a security perspective”, Ariel Tempelhof, co-founder and CEO of Tel Aviv-based Realmode Labs, said in a blog post mapping the VMware RCE chain.

Pass the hash

VeloCloud, which was acquired by VMware in 2017, made “two grave mistakes” in implementing the password reset process that paved the way to an authentication bypass.

First, they used the user’s hashed password for the reset key “instead of generating random bytes”.

Second, while they implemented “an encrypted, signed token”, they “also added an option to use an unsigned cleartext [token] using the {CLEAR} prefix”.

VeloCloud also added predefined backdoor users, a “practice we’ve seen less of in the past years”, albeit disabled by default.

A ‘Pass The Hash Attack’ therefore allowed researchers “to use the hashed password during the password reset procedure, which also reenables the user”.

Researchers were thus able to reset the highest privilege, super@velocloud.net account, having obtained the account’s hashed password and logicalId parameter from the installation files.

The non-blind SQL injection vulnerability, meanwhile, arose because user-controlled data was “concatenated to an SQL query without escaping any characters”.

The blog post also explains how the researchers found the directory traversal flaw, which enabled them to “execute almost any JavaScript file on the local disk.”

Finally, uploaded files which failed content verification were not being deleted, meaning their randomly generated filename could be retrieved from the logger module because VeloCloud allowed users to set the device’s syslog server.

Startup insecurity

The flaws were reported to VMware at the end of July, said Tempelhof.

VMware then issued a security advisory on November 18 that addressed six CVEs emanating from Realmode Labs’ research and advised customers to update to versions 4.0.1, 3.4.4, or 3.3.2.

“VMware’s SIRT team was very responsive,” Tempelhof told The Daily Swig, although their decision not to assign ‘critical’ classifications, despite being presented with the RCE exploit, suggested they had “underestimated these issues”, he claimed.

Tempelhof noted that many SD-WAN products were first developed by startups that were later acquired by large companies – Silver Peak by HPE, Viptela by Cisco, VeloCloud by VMware, and Talari, whose codebase is apparently partly shared with Citrix, by Oracle.

“Startup companies usually put less emphasis on securing their products,” he said. “They need to build a system from scratch, they have tight development schedules, code is often left unreviewed, and sometimes shortcuts are made.”

Tempelhof told The Daily Swig that he and co-researcher Yaar Hahn were left “wondering what was the security assessment due diligence during this transition [to new ownership for the vendors researched] (if any)”.

The bugs leading to RCE in VMware SD-WAN Orchestrator, Cisco’s Viptela vManage, and, as reported by The Daily Swig, Citrix’s SD-WAN Center and Silver Peak’s Unity Orchestrator, “could have been found and fixed by a standard security review”, added Tempelhof.

The Daily Swig has contacted VMware for comment and will update the article if and when we hear back.


READ MORE Citrix patches RCE flaw in SD-WAN Center that could lead to network takeover