<--

Remote command injection via a crafted HTTP request (cmdImportCategory)

Aleph Research Advisory

Identifier

CVE-2019-19839

Severity

Critical

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Mitigation

  • 9.10.x: Upgrade to 9.10.2.0.84
  • 9.12.x: Upgrade to 9.12.3.0.136
  • 9.13.x: Upgrade to 10.0.1.0.90
  • 10.0.x: Upgrade to 10.0.1.0.90
  • 10.1.x: Upgrade to 10.1.2.0.275
  • 10.2.x: Upgrade to 10.2.1.0.147
  • 10.3.x: Upgrade to 10.3.1.0.21
  • 200.6 and before: Upgrade to 200.7.10.202.94
  • 200.7: Upgrade to 200.7.10.202.94

Technical Details

Remote command injection via a crafted HTTP request, caused by insufficient input validation

cmdImportAvpPort() function in emfd executable runs system() with insufficient input validation on uploadFile attribute. As a result a crafted POST request with attribute xcmd=import-category to the web interface page /admin/_cmdstat.jsp injects OS command.

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20191224 - txt
  2. Ruckus Networks - Security Advisory ID 20191224 - PDF