Security advisory: Entando (CVE-2021-35450)

Entando Admin Console <= 6.3.9 – Server Side Template Injection

Swascan has proactively pursued a Responsible Vulnerability Disclosure activity with the system integrator Entando after a critical vulnerability was identified during a penetration testing activity.

Entando in brief

Entando is an open-source software company providing the leading modular application platform building enterprise web apps on Kubernetes.

The company, founded in 2010 as an open-source system integrator, was re-founded as a product company in 2015 in response to the growing demand for tools and services to create modern online experiences.

Since then, the company has stepped into international markets expanding with offices in North America with R&D and sales offices in Europe, and features teams all over the world, including the United States, Italy, Brazil, South Africa, Ukraine, and the Philippines.

The system integrator has particular expertise in the banking, public sector, and services industries. With services span various software subscription and service levels.

Technical Summary

During a Penetration Test, Swascan’s Cyber Security Research Team detected an important vulnerability on:

  • ENTANDO Admin Console <= 6.3.9

The detected vulnerability was:

Vulnerability CVSS Severity
Server-Side Template Injection – Remote Command Execution 7.2 CRITICAL

Swascan recommended to upgrade the Entando Admin Console to latest version available on GitHub at https://github.com/entando/entando-admin-console.

 

In the following section the technical details on this vulnerability including evidences and a proof-of-concept

 

Vulnerability details

Server-Side Template Injection: Remote Command Execution

CWE-94:                                Improper Control of Generation of Code (‘Code Injection’)
CVSSv3.1:                              [7.2 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H]
OWASP:                                 A1:2017-Injection
Remediation Complexity:   HIGH
Remediation Status:            FIXED

Description

Entando Admin Console <= 6.3.9 is affected by a Server Side Template Injection vulnerability for which it is possible to execute system commands by inserting instructions within the framework used to render the application.

A potential attacker will then be able to execute system commands by inserting appropriate instructions within the graphic components of the application web pages using the FreeMarker rendering engine used by the Entando CMS.

Proof of Concept

The following POC shows how it is possible to execute system commands and obtain a remote shell by inserting instructions recognized by the FreeMarker framework.

To demonstrate the vulnerability, it was chosen to insert code in the “help_desk” widget as, only in this particular case and layout chosen for the application, it can be easily called up from the browser to trigger the execution of the command

<#assign ex = “freemarker.template.utility.Execute”?new()>${ ex(“uname -a”)}

Evidence 1: Inserting code within the widget editor

Below is a more explanatory detail:

Evidence 2: Inserting system command: “uname -a”
Evidence 3: Command execution successful

 

By exploiting this vulnerability we got a reverse command shell as shown here:
Evidence 4: Obtained system shell

Remediation

The Swascan Cyber Security Research Team opened a CVE ID  request at

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450

and the system integrator fixed the issue with the Entando Admin Console, Release 6.4.1 updating the version of FreeMarker used in the component dependencies.

References

  • https://cwe.mitre.org/data/definitions/94.html
  • https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=freemarker&search_type=all
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450
  • https://github.com/entando/entando-admin-console
  • https://github.com/entando/entando-core-parent/commit/d88efab44dbe961a202a0b8d83fdd6f3a6e79d11

Our Services

Vulnerability
Assessment

Network
Scan

Penetration
Testing

Domain threat
Intelligence

Cyber Threat
Intelligence

Malware Threat
intelligence

ICT Security
Assessment

Phishing
Attack Simulation

Smishing
Attack Simulation

Cyber Incident
Response

SoC
as a Service

Security
Management

Exit mobile version