Security advisory: Entando (CVE-2021-35450)

Entando Admin Console <= 6.3.9 – Server Side Template Injection

Swascan Offensive Security Team has proactively pursued a Responsible Vulnerability Disclosure activity with the system integrator Entando after a vulnerability of high severity was identified during a penetration testing activity.

Entando in brief

Entando is an open-source software company providing the leading modular application platform building enterprise web apps on Kubernetes.

The company, founded in 2010 as an open-source system integrator, was re-founded as a product company in 2015 in response to the growing demand for tools and services to create modern online experiences.

Since then, the company has stepped into international markets expanding with offices in North America with R&D and sales offices in Europe, and features teams all over the world, including the United States, Italy, Brazil, South Africa, Ukraine, and the Philippines.

The system integrator has particular expertise in the banking, public sector, and services industries. With services span various software subscription and service levels.

Technical Summary

During a Penetration Test, Swascan’s Cyber Security Research Team detected an important vulnerability on:

  • ENTANDO Admin Console <= 6.3.9

The detected vulnerability was:

VulnerabilityCVSSSeverity
Server-Side Template Injection – Remote Command Execution7.2CRITICAL

Swascan recommended to upgrade the Entando Admin Console to latest version available on GitHub at https://github.com/entando/entando-admin-console.

In the following section the technical details on this vulnerability including evidences and a proof-of-concept

Vulnerability details

Server-Side Template Injection: Remote Command Execution

CWE-94:                                Improper Control of Generation of Code (‘Code Injection’)
CVSSv3.1:                              [7.2 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H]
OWASP:                                 A1:2017-Injection
Remediation Complexity:   HIGH
Remediation Status:            FIXED

Description

Entando Admin Console <= 6.3.9 is affected by a Server Side Template Injection vulnerability for which it is possible to execute system commands by inserting instructions within the framework used to render the application.

A potential attacker will then be able to execute system commands by inserting appropriate instructions within the graphic components of the application web pages using the FreeMarker rendering engine used by the Entando CMS.

Proof of Concept

The following POC shows how it is possible to execute system commands and obtain a remote shell by inserting instructions recognized by the FreeMarker framework.

To demonstrate the vulnerability, it was chosen to insert code in the “help_desk” widget as, only in this particular case and layout chosen for the application, it can be easily called up from the browser to trigger the execution of the command

<#assign ex = “freemarker.template.utility.Execute”?new()>${ ex(“uname -a”)}

Evidence 1: Inserting code within the widget editor

Below is a more explanatory detail:

Evidence 2: Inserting system command: “uname -a”

Evidence 3 Command execution successful

Evidence 3: Command execution successful

By exploiting this vulnerability we got a reverse command shell as shown here:

Evidence 4: Obtained system shell

Remediation

The Swascan Cyber Security Research Team opened a CVE ID  request at

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450

and the system integrator fixed the issue with the Entando Admin Console, Release 6.4.1 updating the version of FreeMarker used in the component dependencies.

References

  • https://cwe.mitre.org/data/definitions/94.html
  • https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=freemarker&search_type=all
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450
  • https://github.com/entando/entando-admin-console
  • https://github.com/entando/entando-core-parent/commit/d88efab44dbe961a202a0b8d83fdd6f3a6e79d11
Swascan collaborates with Xerox on fixing Security Issue
Security advisory Rohde Schwarz: R&S®Cloud Protector WAF Bypass

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.