Skip links

Singapore uncovers four critical vulnerabilities in Riverbed software

Singapore’s Cyber Security Group, an agency charged with securing the nation’s cyberspace, has uncovered four critical flaws in code from network software company Riverbed.

The vulnerable application is SteelCentral AppInternals, formerly referred to as AppInternals Xpert, provided by Riverbed’s Aternity division. AppInternals provides application performance monitoring and diagnostics, and is part of SteelCentral. Customers usually deploying this in their datacenter and on their cloud servers to collect information about performance, transaction traces, and more, so it can all be monitored from a centralized UI.

Specifically, the insecure code is in Dynamic Sampling Agent, which is the collection component of AppInternals. Versions affected, according to a CVE record, include 10.x, versions prior to 12.13.0, and versions prior to 11.8.8. Aternity’s advisory about the security holes is locked behind a customer login page. We’ve asked the vendor for more information.

News of the flaws emerged in a blog post by cybersecurity specialist Kang Hao Leng, who said the discovery was made in November 2021.

Along with two others, Kang found a total of seven bugs while testing Riverbed’s wares, with four of these rated as critical, all within the AppInternals’ Dynamic Sampling Agent.

The four critical vulnerabilities are listed as CVE-2021-42786, CVE-2021-42787, CVE-2021-42853, and and CVE-2021-42854.

The four are rated 9.8, 9.4, 9.1 and 9.8 respectively out of 10 on the CVSS scale, and can be exploited by an unauthenticated user to inject and run payloads of malicious code on a remote target.

For CVE-2021-42786, this remote-code execution vulnerability in the software’s API is exploitable due to a lack of input validation of a URL path. For CVE-2021–42787, a lack of input validation of the filename made it possible for attackers to use characters like “../” as a name, leading to potential directory traversal, meaning miscreants could gain unauthorized access to restricted resources.

CVE-2021-42853 and CVE-2021-42854 also involved directory transversal vulnerabilities in the “/api/appInternals/1.0/agent/diagnostic/logs” and “/api/appInternals/1.0/plugin/pmx” API respectively. The blog post describes the flaws in detail and assures us that the bugs have been patched, and Kang said remediation was swift. Users of Riverbed’s software should ensure they are up to date with their deployments.

“Riverbed worked with the research team on the assessment, identification, and mitigation of the vulnerabilities as they were discovered, evaluated, and validated,” Wayne Loveless, CISO, at Riverbed, told The Register.

“Product engineering and security teams have security assessment and testing processes integrated into our software development lifecycle (SDLC). Updates were made available as part of Riverbed customer support services via the support portal.” ®

Source