Vulnerable Software: Extreme Networks Switch EXOS Chalet Web GUI
Vulnerability: Privilege Escalation
Affected Version: EXOS < 22.7 and < 30.2
Vendor Homepage: https://www.extremenetworks.com/
CVE: CVE-2020-18305
Severity: High
CVE Author: Yasin Yilmaz (yasinyilmaz@email.com)
Exploit Available: Yes
A vulnerability in Role Based Access Control (RBAC) functionality of Extreme Networks Switch EXOS Chalet Web GUI could allow a Read-Only authenticated, remote attacker to execute commands or configuration changes as an Admin user.
The vulnerability is due to incorrect handling of RBAC for the administration GUI. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a Read-Only user to execute CLI commands or configuration changes as if they were an Admin user.
For OS versions 15.7 and later, http access to the switch web interface (referred to as Chalet) is available via management port IP address. Additionally, plugging a cable into the Management port will trigger the switch to self-compute its IP address with a link local IP address, which can be use to log into Chalet.
As with the CLI, the web interface can be accessed with the default user credentials. One is "admin" which is the privileged account and other account is the "user" with only basic options. (default settings: User: user, Password: "no password set").
The web-based user interface, called Chalet, is a quick way for setting up and viewing information about a switch. Chalet removes the need to know and remember commands in a CLI environment. Viewable on desktop and mobile with a quick login and intuitive navigation, Chalet features a Quick Setup mode for configuring a switch in a few simple steps. Basic data surrounding port utilization, power, and Quality of Service (QoS) are available, and more advanced users can configure multiple VLANs, create Access Control Lists (ACLs), and configure Audio Video Bridging (AVB).
For more detailed information on Chalet, please refer to this article from Extreme Networks: https://documentation.extremenetworks.com/chalet/GUID-4DF9CF9B-DA73-4C8B-A26A-9F8554C1EA76.shtml
A web interface provides two types of user
- Administrator
- User
The administrator user has access to all modules. User with viewer privileges don’t have access to critical functionalities by forceful browsing. We will access admin modules using viewer user privileges.
Step 1: As with the CLI, the web interface can be accessed with the default user credentials. One is "admin" which is the privileged account and other account is the "user" with only basic options. Once connected to the web GUI, you should see a login prompt. Login as "user" and then proceed like a low privileged normal user.
Step 2: Right-click a blank part of the web gui and select View Page Source from the pop-up menu. Now, notice the response we got: endpoints like /admin/userAccounts, /apps_file_list, /my_plugins, /plugin_store and /pluins/ezMLAC normally required privileged access and needs readWrite accessRight..However, security checks are performed on the client side at the Chalet Web GUI. This means that they can forge direct requests to sensitive sub-pages by supplying the endpoint, and gain unauthorized access.
Step 3: Application does not enforce any protection for sensitive functionality. For example, administrative functions might be linked from an administrator's page but not from a user's page. However, a user might be able to access the administrative functions by browsing to the relevant admin URL. An exploit could allow the attacker as a Read-Only user to execute CLI commands or configuration changes as if they were an Admin user. (For example navigate to /apps_file_list, you'll be navigated to the file manager page and you can view, delete and upload files etc. )
- Extreme Networks closed case as vulnerability is tracked under xos0074814, and vulnerability is now fixed in EXOS 22.7 and 30.2. Please apply the security updates.
- We can set the password for the accounts. Following is the command to set password for admin account.
For admin account:
exos# configure account "admin"
Password
Repeat Password
For user account:
exos# configure account "user"
Password
Repeat Password
Set the passwords and save the entire configurations as follows
exos# save