A trio of security flaws open the door to remote-code execution and a malware tsunami.
The Akkadian Provisioning Manager, which is used as a third-party provisioning tool within Cisco Unified Communications environments, has three high-severity security vulnerabilities that can be chained together to enable remote code execution (RCE) with elevated privileges, researchers said.
They remain unpatched, according to the researchers at Rapid7 who discovered them.
Cisco’s UC suite enables VoIP and video communications across business footprints. The Akkadian product is an appliance that’s typically used in large enterprises to help manage the process of provisioning and configuring all of the UC clients and instances, via automation.
The issues, all present in version 4.50.18 of the Akkadian platform, are as follows:
- CVE-2021-31579: Use of hard-coded credentials (ranking 8.2 out of 10 on the CVSS vulnerability-severity scale)
- CVE-2021-31580 and CVE-2021-31581: Improper neutralization of special elements used in an OS command (using exec and vi commands, respectively; ranking 7.9)
- CVE-2021-31582: Exposure of sensitive information to an unauthorized actor (ranking 7.9)
Combining CVE-2021-31579 with either CVE-2021-31580 or CVE-2021-31581 will allow an unauthorized adversary to gain root-level shell access to affected devices, according to Rapid7. That makes it easy to install cryptominers, keystroke loggers, persistent shells and any other type of Linux-based malware.
Meanwhile, researchers said that CVE-2021-31582 can allow an attacker who is already authenticated to the device to alter or delete the contents of the local MariaDB database, which is a free and open-source fork of the MySQL relational database management system. In some cases, attackers could recover LDAP BIND credentials in use in the host organization, which are used to authenticate clients (and the users or applications behind them) to a directory server.
“In addition to these issues, two other questionable findings were discovered: The ability to read the cleartext local MariaDB credentials, and the inadvertent shipping of an entire GitHub repo with commit history,” the firm explained, in a blog post this week. “At the time of this writing, it’s unclear if these findings present unique security issues, but nonetheless, should be reviewed by the vendor.”
CVE-2021-31579: Use of Hard-Coded Credentials
During a penetration test on a client site, Rapid7 researchers were able to create a root-shell environment by interrupting the boot process of the appliance, according to the analysis. After that, they were able to peruse the user /etc/passwd database, where the ‘akkadianuser` was given as the user name.
Meanwhile, “investigating the user home directory revealed a set of developer files on the production server…[including] developer configuration scripts for configuring a high availability user, which revealed that the high availability user was created with the default password `haakkadianpassword.’”
Armed with these credentials, Rapid7 was then able to successfully bypass the restricted shell menu environment using CVE-2021-31580/81.
CVE-2021-31580/81: Shell Escape via ‘exec’ and ‘vi’ Commands
Rapid7 researchers identified that the restricted shell in use by the Akkadian Appliance Manager component was set to a default bash shell.
“Rapid7 researchers switched the OpenSSH channel from `shell` to `exec` by providing the SSH client a single execution parameter,” according to the analysis. “This triggered the interactive Python script to unsuccessfully find the `/dev/tty` file and exit, but as the shell is running in the context of a bash shell, the failed exit condition does not fail the parent shell and the command is passed on through to the operating system allowing a bypass.”
By combining this issue with the default credentials, an unauthenticated, network-based attacker will gain unrestricted access to an interactive shell with root privileges, according to researchers.
Rapid7 researchers further found that the restricted shell environment of the Akkadian Appliance Manager component could also be bypassed using the shipped version of “vi,” which is a popular terminal-based text editor. That can be done simply by hitting `:!` and then the desired command.
CVE-2021-31581: Exposure of Sensitive Information
In the third vulnerability, Rapid7 researchers saw that the application was serving sensitive data via the exposed web server.
“Listing the `/var/www/html/pme/` directory Rapid7 identified the ionCube packed PHP files, but an additional set of files that were marked with readable permissions,” according to the writeup. “Many of these files contained sensitive data that was accessible via the web server. Of note, the `/pme/database/pme/phinx.yml` file contained cleartext local MariaDB usernames and passwords.”
Rapid7 researchers were then able to use local shell access in order to successfully validate the credentials and connect to the underlying MariaDB host listening locally.
How to Protect Your Organization from Exploits
Rapid7 disclosed the bugs to Akkadian in February, but despite multiple follow-ups, there’s been no response, according to Rapid7.
To protect their environments, companies should restrict network access to the SSH port (22/tcp), so that only trusted users are allowed on, and disable any internet-facing connectivity, Rapid7 recommended.
“Furthermore, system operators should know that, in the absence of a fix, users who have access to the Akkadian Appliance Manager effectively have root shell access to the device, due to the second and third issues,” according to the analysis.
Akkadian did not immediately return a request for comment by Threatpost.