Vendor: Broadcom
Vendor URL: https://www.broadcom.com/
Systems Affected: CA Network Flow Analysis
Versions affected: 9.3.8, 9.5, 10.0, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 21.2.1 (Note: older, unsupported versions may be affected)
Author: Anthony Ferrillo
CVE Identifier: CVE-2021-44050
Advisory URL: https://support.broadcom.com/external/content/security-advisories/CA20211201-01-Security-Notice-for-CA-Network-Flow-Analysis/19689
Risk: Medium - 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (Authenticated SQL Injection)
Summary
The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. The Flash request was reachable from the following URL:
- https://nfa.myservice.EXAMPLE.com/ra/default.aspx?pg=3000 mn=101 timeperiod=2 (Interface Index > Group)
The Interface search bar performed internal SOAP requests. The request was providing a series of parameters which were used to perform a SQL query to retrieve information from the backend database. The parameters were not validated prior the SQL query, allowing a malicious user to inject arbitrary SQL queries to enumerate and retrieve information from the database.
Impact
Successful exploitation of this issue would allow a low privileged user to enumerate and retrieve information from the backend database of the Network Flow Analysis web application.
Details
The Interface search bar performed internal SOAP requests. The following is an example of the request:
POST //ra/authorization/GroupTreeWS.asmx HTTP/1.1
[…]
61
1597
RouterName, Name
10
0
test
It was possible to retrieve a verbose error message from the backend database by tampering the request in the orderBy parameter. An example request of the vulnerability is the following:
Request
POST //ra/authorization/GroupTreeWS.asmx HTTP/1.1
[…]
61
1597
RouterName, Name' or 0=0 --
10
0
test
The following payload was used for the boolean-based blind SQL injection in the request:
' or 0=0 --
Recommendation
Upgrade to 21.2.2 or above.
Alternatively, apply the appropriate fix provided for 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, and/or 21.2.1.
Vendor Communication
2021-06-10 - Reported to Broadcom Product Security Center
2021-06-29 - Broadcom confirm they are able to reproduce the vulnerability and are working to address the vulnerability
2021-06-29 - We request an estimated date for a fix from Broadcom
2021-07-16 - Broadcom advise they are still working on addressing the issue. Request that we hold off any disclosure.
2021-12-01 - New version released, which addresses the reported vulnerability.
2021-12-02 - Advisory Published
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 12/02/2021
Written by: Anthony Ferrillo