CVE-2018-12335

An attacker who obtains a valid activation code/passphrase pair (or performs a successful man-in-the-middle attack) can establish arbitrary port forwardings in the management appliance through the Easy Enrollment SSH tunnel [ref_id=1]. This allows the attacker to connect to the central CouchDB database, which is bound only to localhost on port 5984. The attacker can then dump credentials of arbitrary sticks and users, and modify the management database (e.g., enabling VNC with a weak password) [ref_id=1]. The activation code does not need to be deleted after use, so the attack may go unnoticed [ref_id=1].

The advisory does not specify exact file paths or function names. The vulnerability resides in the Easy Enrollment feature of ECOS System Management Appliance (SMA) versions prior to 5.2.70 and 5.3.40. The CouchDB database listening on port 5984 is accessible via arbitrary port forwardings established through the Easy Enrollment SSH tunnel [ref_id=1].

According to the vendor, management versions 5.2.70 and 5.3.40 address this issue [ref_id=1]. The advisory does not include a patch diff, so the exact code changes are unknown. The advisory recommends mitigation measures such as using Easy Enrollment only in trusted networks and blocking port 909 (though noting this has side effects), and ensuring only trusted users obtain activation codes [ref_id=1].