Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2016-20035 is a Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine version 4.5.0. It allows attackers to perform unauthorized administrative actions by tricking logged-in administrators into visiting malicious web pages. These pages submit crafted POST requests to the user edit endpoint, enabling the attacker to create new administrator accounts with arbitrary credentials without the administrator's consent."}, {'type': 'paragraph', 'content': 'The vulnerability exists because the application interface processes certain HTTP requests without validating their authenticity, lacking proper CSRF protections.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to escalate privileges by creating new administrator accounts on the Wowza Streaming Engine server without authorization. If a logged-in administrator visits a malicious website, the attacker can exploit the vulnerability to gain administrative control over the server.

With administrative access, the attacker can perform privileged actions, potentially compromising the security and management of the streaming server.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the user edit endpoint of the Wowza Streaming Engine web interface, specifically requests targeting `/enginemanager/server/user/edit.htm` that attempt to create or modify user accounts with administrative privileges.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting web server logs or network traffic for suspicious POST requests containing parameters such as `userName`, `userPassword`, `accessLevel` set to "admin", and `advUser` set to "true".'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include using tools like `grep` on server logs or `tcpdump`/`Wireshark` to capture and filter HTTP POST requests:'}, {'type': 'list_item', 'content': "grep -i 'POST /enginemanager/server/user/edit.htm' /path/to/access.log"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'userName\\|accessLevel\\|advUser'"}, {'type': 'paragraph', 'content': 'Additionally, reviewing the list of users on the Wowza Streaming Engine for unexpected new administrator accounts can help identify exploitation.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Wowza Streaming Engine administrative interface to trusted networks and users only.

Implementing CSRF protections such as requiring tokens for POST requests to sensitive endpoints can prevent unauthorized administrative actions.

Administrators should also avoid visiting untrusted websites while logged into the Wowza Streaming Engine management interface to reduce the risk of CSRF attacks.

Review and remove any unauthorized administrator accounts that may have been created due to this vulnerability.

If available, apply vendor patches or updates that address this vulnerability.

Useful 0 Not Useful 0