Blind Command Injection In Edgewater Edgemarc Devices
The HTTP web-management application on Edgewater Networks Edgemarc appliance has a hidden page that allows users to execute command ,though you get no feedback client-side from the web application.This exploit was developed based on the technical description by Depth Security firm .
“The User Commands page is used to enter specialized commands or enable features that are not available through other GUI pages. User commands are stored in the file /etc/config/user_defs.conf. They are automatically executed when Submit is pressed on the page, whenever the system starts, or a network restart is performed. User commands are commonly used to create user specific firewall and routing rules.”
Edgewater has confirmed that this vulnerability is present on all Edgemarc devices, regardless of vendor specific firmware. They also informed me that this is expected to be fixed in an upcoming release but did not specify a date. I can confirm that the default root password to log in to the interface requires the password to be changed upon first log in, in all devices produced or updated within the last year, effectively mitigating the vulnerability.