Entando Admin Console <= 6.3.9 – Server Side Template Injection
Swascan Offensive Security Team has proactively pursued a Responsible Vulnerability Disclosure activity with the system integrator Entando after a vulnerability of high severity was identified during a penetration testing activity.
Entando in brief
Entando is an open-source software company providing the leading modular application platform building enterprise web apps on Kubernetes.
The company, founded in 2010 as an open-source system integrator, was re-founded as a product company in 2015 in response to the growing demand for tools and services to create modern online experiences.
Since then, the company has stepped into international markets expanding with offices in North America with R&D and sales offices in Europe, and features teams all over the world, including the United States, Italy, Brazil, South Africa, Ukraine, and the Philippines.
The system integrator has particular expertise in the banking, public sector, and services industries. With services span various software subscription and service levels.
Technical Summary
During a Penetration Test, Swascan’s Cyber Security Research Team detected an important vulnerability on:
- ENTANDO Admin Console <= 6.3.9
The detected vulnerability was:
| Vulnerability | CVSS | Severity |
| Server-Side Template Injection – Remote Command Execution | 7.2 | CRITICAL |
Swascan recommended to upgrade the Entando Admin Console to latest version available on GitHub at https://github.com/entando/entando-admin-console.
In the following section the technical details on this vulnerability including evidences and a proof-of-concept
Vulnerability details
Server-Side Template Injection: Remote Command Execution
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CVSSv3.1: [7.2 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H]
OWASP: A1:2017-Injection
Remediation Complexity: HIGH
Remediation Status: FIXED
Description
Entando Admin Console <= 6.3.9 is affected by a Server Side Template Injection vulnerability for which it is possible to execute system commands by inserting instructions within the framework used to render the application.
A potential attacker will then be able to execute system commands by inserting appropriate instructions within the graphic components of the application web pages using the FreeMarker rendering engine used by the Entando CMS.
Proof of Concept
The following POC shows how it is possible to execute system commands and obtain a remote shell by inserting instructions recognized by the FreeMarker framework.
To demonstrate the vulnerability, it was chosen to insert code in the “help_desk” widget as, only in this particular case and layout chosen for the application, it can be easily called up from the browser to trigger the execution of the command
<#assign ex = “freemarker.template.utility.Execute”?new()>${ ex(“uname -a”)}
Evidence 1: Inserting code within the widget editor
Below is a more explanatory detail:
Evidence 2: Inserting system command: “uname -a”
Evidence 3: Command execution successful
Evidence 4: Obtained system shell
Remediation
The Swascan Cyber Security Research Team opened a CVE ID request at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450
and the system integrator fixed the issue with the Entando Admin Console, Release 6.4.1 updating the version of FreeMarker used in the component dependencies.
References
- https://cwe.mitre.org/data/definitions/94.html
- https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=freemarker&search_type=all
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35450
- https://github.com/entando/entando-admin-console
- https://github.com/entando/entando-core-parent/commit/d88efab44dbe961a202a0b8d83fdd6f3a6e79d11
