Executive Summary

CVE-2019-25251 is a Server-Side Request Forgery (SSRF) vulnerability in Teradek VidiU Pro version 3.0.3 and related versions. It exists in the management interface, specifically in the RTMP settings and Wowza server mode, where user-supplied GET parameters 'url' and 'xml_url' are used without proper validation. This allows an attacker to manipulate these parameters to make the device send HTTP requests to arbitrary external or internal hosts. This can be exploited to bypass firewalls, perform internal network and service enumeration, and potentially trigger XML External Entity (XXE) attacks due to XML parsing of the responses. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass firewalls and access internal network resources through the vulnerable device. Attackers can perform network enumeration to discover internal services and potentially exploit further vulnerabilities. Additionally, the SSRF can lead to XML External Entity (XXE) attacks, which may disclose sensitive information. Overall, it poses a risk of exposing system and sensitive information and could lead to unauthorized system access. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the vulnerable endpoints that process the 'url' and 'xml_url' GET parameters. Specifically, you can send crafted HTTP GET requests to the following endpoints to check if the system makes external HTTP requests: 1. /cgi-bin/wowza.cgi?command=read_url&url=<test_url> 2. /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=<test_url> By substituting <test_url> with arbitrary external domains or IP addresses and ports, you can observe if the device attempts to connect to those addresses, indicating SSRF vulnerability. For example, using curl commands: curl 'http://<device_ip>/cgi-bin/wowza.cgi?command=read_url&url=http://example.com' curl 'http://<device_ip>/cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=http://example.com' Additionally, proof-of-concept CSRF HTML forms exist to automate blind SSRF and XXE testing. Monitoring network traffic for unexpected outbound HTTP requests from the device to arbitrary hosts can also help detect exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the management interface of the Teradek VidiU Pro device to trusted networks and users only, effectively preventing unauthorized external access. Network-level controls such as firewall rules should be implemented to block outbound HTTP requests from the device to untrusted or arbitrary external hosts. If possible, disable or restrict the vulnerable RTMP settings and Wowza server mode functionality until a patch or update is available. Monitoring and logging should be enhanced to detect suspicious activity related to the vulnerable endpoints. Since the vendor did not respond before the advisory release, applying any available firmware updates or patches from Teradek should be prioritized once released. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, the vulnerability allows attackers to bypass firewalls, perform internal network enumeration, and potentially disclose sensitive information via XML External Entity (XXE) attacks, which could lead to unauthorized access to sensitive data. Such unauthorized access and data exposure could negatively impact compliance with data protection regulations that require safeguarding sensitive information. [1, 2]

Useful 0 Not Useful 0