An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
The attacker first exploits an SQL injection vulnerability in the '/api/common/1.0/login' endpoint to inject a database query and create a new user account. Then, using this account, the attacker triggers a command injection vulnerability in the '/index.php?page=licenses' endpoint, which allows execution of arbitrary system commands. In the final stage, the attacker escalates privileges to root level by exploiting misconfigured sudoers — the 'mazu' user can execute any commands as root through SSH key extraction and command chaining.
Successful exploitation allows an attacker to gain full remote access to the virtual appliance with root privileges, meaning complete system takeover, ability to read and modify data, and further lateral movement within the network.
Apply patches available from the manufacturer according to the references. It is recommended to check for updates on the Riverbed support portal at the address indicated in the references and, until the patch is installed, restrict network access to vulnerable endpoints using a firewall or network segmentation.
Riverbed SteelCentral NetProfiler and NetExpress version 10.8.7 (virtual appliances)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X