VeloCloud: The Last Takeover Introduction: Welcome to the final installment of our SD-PWN series, where we uncover severe vulnerabilities in leading SD-WAN vendors. In this article, we will focus on dissecting the security flaws in VMware’s SD-WAN platform, VeloCloud Orchestrator. It is important for users of VMware VeloCloud Orchestrator to update immediately, as we will demonstrate the potential for unauthenticated remote code execution. These vulnerabilities have the potential to disrupt an entire company’s international network. 1. Vulnerabilities in VMware VeloCloud Orchestrator: VMware VeloCloud Orchestrator is a critical component that connects to edge routers and centrally controls the network topology. However, it is also a single point of failure from a security perspective. The VeloCloud infrastructure is mainly composed of nginx, which serves as a reverse proxy for node.js servers. 2. Mapping Unauthenticated Interfaces: To conduct a security survey of a product, the first step is to identify its unauthenticated interfaces. This includes login and password reset functionalities. In the case of Velocloud, there are grave mistakes in their password reset implementation that lead to vulnerabilities. 3. Pass The Hash Attack: Velocloud’s password reset procedure involves generating a random key. However, instead of using truly random bytes, Velocloud mistakenly used the hashed password of the user. Additionally, they implemented an encrypted, signed token but also provided an option for an unsigned cleartext token. These two issues allow for a Pass The Hash Attack to occur. 4. Predefined Backdoor Users: Velocloud has included predefined backdoor users in their system, although these accounts are disabled by default. However, by exploiting the Pass The Hash Attack, an attacker can use the hashed password during the password reset process to reenable the backdoor user accounts. 5. Authentication Bypass using PTH + Default Accounts (CVE-2020-4001): Using the Pass The Hash Attack, it is possible to reset the super@velocloud.net account, which possesses the highest admin rights in the system. By knowing the hashed password and a parameter called logicalId, the attacker can bypass authentication and gain unauthorized access. 6. Modulus Parameter SQL Injection (CVE-2020-3984): Velocloud’s softwareUpdate/getSoftwareUpdates method is vulnerable to a standard SQL injection attack. User-controlled data is concatenated to an SQL query without proper character escaping. This vulnerability allows the extraction of any data from the database. 7. Rest Meta Dir Traversal + Unauthenticated File Inclusion (CVE-2020-4000): The portal/rest/meta handler in Velocloud allows for directory traversal by manipulating the GET query string. Although an unauthenticated attacker can exploit this vulnerability, we have not found a way to upload a file for inclusion without authentication. 8. Remote Code Execution (RCE) Chain: By finding a file inclusion vulnerability, we can upload a JavaScript file with controlled content. Through a series of steps involving password reset, login, and setting a syslog server, we can execute our JavaScript code in the node.js environment. Conclusion: In this final installment of the SD-PWN series, we have exposed severe vulnerabilities in VMware VeloCloud Orchestrator. It is clear that even well-established vendors can have security flaws in their products, especially those acquired from startups. Regular security reviews and a focus on secure coding practices are necessary to prevent such vulnerabilities. As users, it is important to stay updated and apply patches promptly. By Zaran Sayre, Cybersecurity Expert Sources: – [Blog Post] SD-PWN Part 4 – VMware VeloCloud – The Last Takeover