The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customerβs internal network, along with the ability to decrypt all traffic that passes through the VPN.
Recent assessments:
wvu-r7 at July 31, 2020 3:50pm UTC reported:
The web functionality is implemented in the x86 gm_server
binary.
Using the Claroty report and a hunch, I decided to test the Content-Length
header for negative values:
> The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client.
>
> [snip]
>
> CVE-2020-14500
IMPROPER NEUTRALIZATION OF NULL BYTE OR NULL CHARACTER CWE-158
An attacker can send a negative value and overwrite arbitrary data.
On the /admin
page, setting Content-Length
to a large negative value yielded a segfault in the gm_server
process:
[30665.430945] gm_server[25115]: segfault at 56e35df1 ip 00000000566c0816 sp 00000000ffcb6bf0 error 6 in gm_server[565cf000+175000]
[30665.430952] Code: e8 e8 ee f4 ff ff 89 c7 e9 61 fe ff ff 8d b4 26 00 00 00 00 8b 95 60 02 00 00 85 d2 0f 84 93 00 00 00 8b 85 68 02 00 00 31 ff <c6> 04 02 00 8b 45 14 83 f8 02 0f 84 34 fe ff ff 0f 82 84 02 00 00
Note that a watchdog restarts the process when it crashes.
For GateManager 8250 on Linux, the gm_server
binary has NX and PIE enabled. The embedded 4260 and 9250 models have only NX:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 0 22 gm_server.unpatched
Exploitability of the embedded models seems high, given that PIE isnβt enabled. NX and system ASLR can be bypassed with ROP.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3