CVE-2020-13377
📋 TL;DR
This vulnerability allows authenticated low-privileged attackers to perform directory traversal attacks through the web-services interface of Loadbalancer.org Enterprise VA MAX. Attackers can read and write sensitive files on the system. Organizations using affected versions of this load balancer software are at risk.
💻 Affected Systems
- Loadbalancer.org Enterprise VA MAX
📦 What is this software?
Enterprise Va Max by Loadbalancer
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including credential theft, configuration modification, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive configuration files, logs, and credentials stored on the load balancer.
If Mitigated
Limited impact with proper network segmentation and strict access controls limiting authenticated user access.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept demonstrates the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.9 or later
Vendor Advisory: https://www.loadbalancer.org/products/virtual/enterprise-va-max/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install version 8.3.9 or later from Loadbalancer.org. 3. Restart the load balancer service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Web-Services Access
allLimit access to the web-services interface to trusted IP addresses only.
Configure firewall rules to restrict access to the load balancer management interface (typically port 9443)
Disable Unnecessary Services
allDisable the web-services interface if not required for operations.
Disable the web-services interface through the load balancer configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the load balancer management interface
- Enforce strong authentication and limit low-privileged user access to essential functions only
🔍 How to Verify
Check if Vulnerable:
Check the load balancer version via the web interface or CLI. If version is 8.3.8 or earlier, the system is vulnerable.Check Version:
Check via web interface at https://<loadbalancer-ip>:9443 or use the CLI command specific to the applianceVerify Fix Applied:
Verify the version is 8.3.9 or later and test directory traversal attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web-services logs
- Multiple failed directory traversal attempts
- Access to sensitive file paths from low-privileged accounts
Network Indicators:
- Unusual traffic patterns to the web-services interface (port 9443)
- Multiple requests with '../' sequences in URLs
SIEM Query:
source="loadbalancer_logs" AND (url="*../*" OR status="403" OR user="low_privilege_user")🔗 References
- https://inf0seq.github.io/cve/2020/04/21/Path-Traversal-in-Enterprise-loadbalancer-VA-MAX-v8.3.8-and-earlier.html
- https://www.loadbalancer.org/products/virtual/enterprise-va-max/
- https://inf0seq.github.io/cve/2020/04/21/Path-Traversal-in-Enterprise-loadbalancer-VA-MAX-v8.3.8-and-earlier.html
- https://www.loadbalancer.org/products/virtual/enterprise-va-max/
