CVE-2024-45164 - Broken Access Control: ThreatAvert Policy Page in Akamai Applications Portal (SIA ThreatAvert)

NetbyteSEC Security Advisory - Broken Access Control: ThreatAvert Policy Page in Akamai Applications Portal (SIA ThreatAvert)

Title: Broken Access Control: ThreatAvert Policy Page in Akamai Applications Portal (SIA ThreatAvert)

Advisory ID: NBS-2024-0001

Product: SIA ThreatAvert

Affected Version: 19.2.0.2

CVE ID: CVE-2024-45164

Author: Abu Bakar bin Zaharudin | Muhammad Abdul Aalim Ahmad Rozli | NetbyteSEC

Vendor/Product Description

SIA ThreatAvert protects the CacheServe DNS and ISP network infrastructure from a number of Internet-based threats including DDoS attacks, pseudo-random subdomain (PRSD) and other amplification attacks, as well as toll fraud attacks and DNS tunneling.

Vulnerability Overview

SIA ThreatAvert is vulnerable to broken access control. Generally the application has implemented authorisation controls on the application settings and configurations. However, it is noted that the Admin function for ThreatAvert, specifically on the ThreatAvert Policy page, is missing such control.

The vulnerability was successfully patched by Akamai on 19.2.0 SPS release version/Apps Portal Version 19.2.0.20240814.

Technical Details

The exploitation of this vulnerability requires authenticated standard user. The broken access control vulnerability allowed a standard user to view and access the Admin function on Network View and ThreatAvert. The image below shows the view of Admin on the application page.

Figure 1.0: User Admin view

The image below shows the view of standard user on the application page where ThreatAvert Policies option is not available.

Figure 1.1: Standard user view

The image below shows that, despite the fact that ThreatAvert Policies is not available on the main page, a standard user can still directly access the Network View admin page by browsing to the URL: https://<IP-Address/Hostname>/#app/intelligence/threatAvertPolicies. 

Figure 1.2: Standard user policy page

A standard user not only can access the page, they also can disable or enable any policy as shown below:

Figure 1.3: Standard user can disable or enable policy

The API endpoints for the enable and disable are as follows:

-https://<IP-Address/Hostname>/network-security/component-amp-an

-https://<IP-Address/Hostname>/network-security/component-amp-large

-https://<IP-Address/Hostname>/network-security/component-amp-purpose

-https://<IP-Address/Hostname>/network-security/component-amp-size

-https://<IP-Address/Hostname>/network-security/component-botnet-monitor

-https://<IP-Address/Hostname>/network-security/component-botnet-stop

-https://<IP-Address/Hostname>/network-security/component-prsd-high

-https://<IP-Address/Hostname>/network-security/component-prsd-recent

-https://<IP-Address/Hostname>/network-security/component-prsd-rsd

-https://<IP-Address/Hostname>/network-security/component-tunnel-stop

-https://<IP-Address/Hostname>/network-security/component-tunnel-suspected

The vulnerability is affecting on version 19.2.0.2 as shown below:

Figure 1.4: Akamai affected version

Mitigation

Update to latest patch 19.2.0 SPS release version/Apps Portal Version 19.2.0.3. Those who cannot immediately update their Apps Portal to release 19.2.0.20240814 or newer, is advisable to eliminate ThreatAvert standard user role assignments and rely on Admin users for ThreatAvert report access until an Apps Portal upgrade can be performed.

Akamai advice to those who cannot immediately update their Apps Portal to release 19.2.0.20240814 or newer, is to eliminate ThreatAvert standard user role assignments and rely on Admin users for ThreatAvert report access until an Apps Portal upgrade can be performed.

Additional Notes

• The SIA ThreatAvert application is only accessible to carrier employees, more specifically network security administrators, via the SIA Applications Portal, most commonly utilizing SSO authentication against the provider’s IDP.
• The vulnerability is further limited to internal (Internet Service Provider) personnel that are specifically authorized for the “standard” ThreatAvert user role.
• Akamai doesn't pre-populate any standard user credentials, this role assignment must be specifically configured by the carrier.
• A rogue employee could enable/disable some/all policy enforcement associated with the ThreatAvert product on inbound DNS queries.
• Any applied policy change would be reflected in ThreatAvert block reporting and therefore caught and re-applied in short order.

Vendor Contact Timeline

2024-07-23: Contact vendor via [email protected]

2024-07-31: Submit vulnerability disclosure to vendor through email

2024-07-31: Vendor acknowledge the report

2024-08-19: Vendor fixed the vulnerability

2024-08-19: Submit private disclosure to CVE assignee

2024-08-22: CVE number assigned by MITRE

2024-11-04: Public release of security advisory

NetByteSEC Sdn Bhd

===================

NetbyteSEC Sdn Bhd was incorporated under the Malaysian Companies Act 1965 in 2013.

NetbyteSEC is privately owned and is based in Cyberjaya, Selangor, Malaysia.

More information about NetbyteSEC Sdn Bhd can be found at:

https://www.netbytesec.com