Source: cve@mitre.org
Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.
Trustwave Secure Web Gateway (SWG) devices are vulnerable to a critical flaw allowing remote attackers to gain root access by injecting their SSH public key. This vulnerability, exploitable via a simple HTTP request, grants complete control over the compromised device, potentially leading to data breaches and network compromise.
Step 1: Target Identification: Identify a vulnerable Trustwave SWG device running a version through 11.8.0.27.
Step 2: Public Key Generation: The attacker generates an SSH key pair (private and public).
Step 3: Payload Delivery: The attacker crafts an HTTP POST request to the /sendKey URI of the target device. The request includes the attacker's public key in the publicKey parameter.
Step 4: Key Injection: The Trustwave SWG application, due to the vulnerability, appends the attacker's public key to the authorized_keys file on the device.
Step 5: SSH Access: The attacker uses their private key to SSH into the device, gaining root access because the injected public key is now authorized.
Step 6: Post-Exploitation: The attacker can now execute arbitrary commands, potentially leading to data exfiltration, lateral movement, and complete network compromise.
The vulnerability stems from a failure to properly validate user-supplied input when handling SSH key uploads. Specifically, the /sendKey URI within the Trustwave SWG application allows users to append a public key to the authorized_keys file. The application lacks proper input sanitization and authorization checks on the publicKey parameter. This allows an attacker to inject a malicious SSH public key, bypassing authentication and gaining root access. The root cause is a lack of input validation and insufficient access control on a critical configuration function. The application trusts the publicKey parameter without verifying its origin or content, leading to the unauthorized modification of the authorized_keys file. This is a classic example of an authentication bypass vulnerability.
While no specific APT groups are definitively linked to this CVE, the ease of exploitation makes it attractive to various threat actors. This vulnerability could be used by both financially motivated and state-sponsored actors. The vulnerability's impact (root access) makes it a high-value target. Not listed on CISA KEV.
Network traffic analysis: Look for HTTP POST requests to the /sendKey URI with a publicKey parameter containing a public key.
Log analysis: Review Trustwave SWG logs for suspicious activity, such as unauthorized SSH logins or modifications to the authorized_keys file.
File integrity monitoring: Monitor the authorized_keys file for unexpected changes.
Endpoint detection and response (EDR) solutions can be configured to detect unauthorized SSH key additions.
SIEM alerts based on network traffic patterns and log anomalies.
Upgrade to a patched version of Trustwave SWG (version 11.8.0.28 or later).
Implement strong input validation on all user-supplied data, especially the publicKey parameter.
Enforce proper authorization and authentication for all configuration changes.
Regularly review and audit the authorized_keys file to identify and remove unauthorized keys.
Implement a robust SSH key management system.
Consider using a Web Application Firewall (WAF) to filter malicious requests.
Implement multi-factor authentication (MFA) for SSH access.