
Singapore’s Cyber Security Group, an agency charged with securing the nation’s cyberspace, has uncovered four critical flaws in code from network software company Riverbed.
The vulnerable application is SteelCentral AppInternals, formerly referred to as AppInternals Xpert, provided by Riverbed’s Aternity division. AppInternals provides application performance monitoring and diagnostics, and is part of SteelCentral. Customers usually deploying this in their datacenter and on their cloud servers to collect information about performance, transaction traces, and more, so it can all be monitored from a centralized UI.
The insecure code is in Dynamic Sampling Agent, which is the collection component of AppInternals. Versions affected, include 10.x, versions prior to 12.13.0, and versions prior to 11.8.8.
The four critical vulnerabilities are listed as
- CVE-2021-42786 – CVSS 9.8
- CVE-2021-42787 – CVSS 9.4
- CVE-2021-42853 – CVSS 9.1
- CVE-2021-42854 – CVSS 9.8
For CVE-2021-42786, this remote-code execution vulnerability in the software’s API is a lack of input validation of a URL path. For CVE-2021–42787, a lack of input validation of a filename made it possible for attackers to use characters like “../” as a name, leading to potential directory traversal, meaning miscreants could gain unauthorized access to restricted resources.
CVE-2021-42853 and CVE-2021-42854 also involved directory transversal vulnerabilities in API endpoints. Users of Riverbed’s software should ensure they are up to date with their deployments.
Riverbed worked with the research team on the assessment, identification, and mitigation of the vulnerabilities as they were discovered, evaluated, and validated. Product engineering and security teams have security assessment and testing processes integrated into our software development lifecycle (SDLC). Updates were made available as part of Riverbed customer support services via the support portal.
Riverbed statement