San Antonio, TX. Digital Defense, Inc., a leading provider of Vulnerability Management as a Service (VMaaS™), disclosed the discovery of four zero-day security vulnerabilities found in the Riverbed Technology SteelCentral Portal version 1.3.1 and 1.4.0. The vulnerabilities are critical in nature due to the ability of a cybercriminal to exploit these issues to gain access to the performance monitoring platform and retrieve confidential data. Riverbed has collaborated closely with Digital Defense and addressed these vulnerabilities.
About the Vulnerabilities
Digital Defense Vulnerability Research Team (VRT) detected the previously unknown vulnerabilities while developing new audit modules for its patented vulnerability scanning technology.
Two unauthenticated remote code execution vulnerabilities would allow an attacker to run arbitrary code with SYSTEM privileges and fully compromise the host running the SteelCentral Portal application. Compromise of the portal application would allow for credentials of all connected SteelCentral data sources to be recovered and leveraged to further compromise the connected data sources.
Additionally, two information disclosure flaws would allow unauthenticated user enumeration, disclosing valid usernames for the Riverbed SteelCentral Portal application and its connected data sources.
Riverbed has addressed the vulnerabilities. For more information, customers may contact Riverbed customer support staff through their support portal.
Details surrounding each of the four vulnerabilities are available on the Digital Defense website. Additionally, the company’s patented scanning technology can detect all of these vulnerabilities with explicit network tests for the affected network services.
Digital Defense Research Methodology and Practices
The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT, when coupled with the company’s next generation hybrid cloud platform, Frontline™ Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.
“Security flaws in the application-layer of critical infrastructure remain a blind spot for both vendors and the organizations they serve”, said Mike Cotton, Vice President of Research and Development at Digital Defense. “We applaud Riverbed for working with us to pinpoint and eliminate these flaws from their platform.”