Advantech iView Remote Command Injection

June 25, 2021

Overview:

  Advantech iView application enables network managers to configure, update, manage and monitor B+B SmartWorx solutions from a central location. It is a Simple Network Management Protocol-based element management software provided free-of-charge with all intelligent FTTx, Optical Access and Media Conversion solutions. It is designed as a web-based application with the main program functionality residing on a web server and all user access through a web browser.

  A remote command execution has been reported in Advantech iView. The vulnerability is due to improper input sanitization. A remote user could exploit the vulnerability by sending a crafted request to the server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-32930.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Advantech iView is a Java-based servlet application and requires a Java servlet container such as Apache/Tomcat to be installed on the web server. iView will store program information in a database and requires a relational database management system such as MySQL to be installed on the web server. Before using any features of iView, a user needs to authenticate with the system. Advantech iView allows user to create zero-touch provisioning (ZTP) configuration files for B&B Electronics devices that provide support for the related functionalities. The ZTP Configuration menu section displays the ZTP Configuration dialog which can be accessed from the “Tools” menu. The ZTP related services are handled by either NetworkServlet or CommandServlet endpoint. The URL mappings for these servlets are found in the web.xml file:

  A Command injection vulnerability exists in Advantech iView. The vulnerability is due to a lack of proper input validation for shell command injection characters in the HTTP request parameter fwfilename. When the application receives an HTTP request with Request-URI set to either “/iView3/CommandServlet” or “/iView3/NetworkServlet”, and request parameter ztp_config_name is set to the associated action; the doPost() method in Java class NetworkServlet is called. The “NetworkServlet” class checks the page_action_type parameter and invokes the associated function based on the task. For example, in the case of upgrading the ProView component, the application receives page_action_type parameter as “runProViewUpgrade” and in such case, the runProViewUpgrade() method is invoked to perform the upgrade operation. The vulnerable function accepts two more parameters in the HTTP request as device_id and filename.

  In the implementation of the runProViewUpgrade() method, the vulnerable code first extracts the ipaddress and strDeviceModel from the Database using the supplied device_id. If the device_id can not be found in the Database, the vulnerable function will return with an error. The function builds a list of strings for the “command” parameter of the ProcessBuilder Java class in order to execute the CMD program. The value supplied in the fwfilename field is used to build one of the command arguments. However, the runProViewUpgrade() method does not sanitize the fwfilename parameter value for command injection characters before applying it to build the command-line string. An attacker can include command injection characters in the value of the fwfilename parameter which are then applied to construct the command line list. This allows for the execution of arbitrary commands on the underlying system when the start() method of Java class ProcessBuilder executes the constructed commands list.

Triggering the Problem:

  • The target system must have the vulnerable product installed and enabled.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must know a valid device ID in the target application.

Trigging Conditions:

  The attacker sends a crafted HTTP request to the vulnerable server with malicious parameters. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15599 “Advantech iView Command Injection”

Remediation Details:

  Listed below are actions that may be taken in order to mitigate the risks associated with this vulnerability:
    • Restrict access to the affected communication port to trusted hosts only.
    • Upgrade the product with a new patched version.
    • Detect and block malicious traffic with IPS:15599
  The vendor, Advantech, has released a new version of the product:
  Vendor Advisory