Overview
The ifmap service that comes bundled with Contrail releases prior to version 4.0 uses hard coded credentials.
Impact
The vulnerable service in Contrail product is an IFMAP daemon, which is packaged from irond. To keep things simple, let's continue with irond and exploit of the XXE vulnerability.
Affected versions
This issue affects Contrail 2.2, 3.0, 3.1, 3.2.
Proof of Concept
Any details about the vulnerability is available from Guillaume TEISSIER's GitHub
Solution
Security patch
Upgrade to Contrail 2.21.4, 3.0.3.4, 3.1.4.0, 3.2.5.0 and all subsequent releases.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-10616
https://supportportal.juniper.net/s/article/2017-10-Security-Bulletin-Contrail-hard-coded-credentials-CVE-2017-10616-and-XML-External-Entity-XXE-vulnerability-CVE-2017-10617
https://github.com/gteissier/CVE-2017-10617
Credits
Orange CERT-CC
Guillaume TEISSIER at Orange group
Timeline
Date reported: June 13, 2017
Date fixed: September 29, 2017
Overview
The ifmap service that comes bundled with Contrail releases prior to version 4.0 uses hard coded credentials.
Impact
The vulnerable service in Contrail product is an IFMAP daemon, which is packaged from irond. To keep things simple, let's continue with irond and exploit of the XXE vulnerability.
Affected versions
This issue affects Contrail 2.2, 3.0, 3.1, 3.2.
Proof of Concept
Any details about the vulnerability is available from Guillaume TEISSIER's GitHub
Solution
Security patch
Upgrade to Contrail 2.21.4, 3.0.3.4, 3.1.4.0, 3.2.5.0 and all subsequent releases.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-10616
https://supportportal.juniper.net/s/article/2017-10-Security-Bulletin-Contrail-hard-coded-credentials-CVE-2017-10616-and-XML-External-Entity-XXE-vulnerability-CVE-2017-10617
https://github.com/gteissier/CVE-2017-10617
Credits
Orange CERT-CC
Guillaume TEISSIER at Orange group
Timeline
Date reported: June 13, 2017
Date fixed: September 29, 2017