On October 15, 2019, Tesla discovered, and responsibly disclosed, a vulnerability within Akamai's Enterprise Application Access (EAA) client that allows privilege escalation and remote code execution (RCE) when an attacker is within privileged locations on a network.
This vulnerability has been assigned CVE-2019-18847.
This vulnerability exists due to a combination of the lack of signature validation on end-user initiated update downloads and the lack of proper TLS certificate verification in the client when visiting the update software repositories. Akamai released a patch (version 2.0.1) on 3/20/20 and made it available to all EAA customers.
Akamai strongly urges customers who have not already updated their Enterprise Application Access (EAA) client to version 2.0.1 or later (as displayed in the EAA client) to do so immediately. Instructions are located here.
Customers utilizing EAA in a clientless configuration are not subject to this vulnerability and do not need to take any actions.
While Akamai has seen no evidence suggesting this vulnerability has been leveraged or exploited amongst our customers, a vulnerability of this nature should be treated as urgent and addressed as soon as possible.
To execute an exploit against this vulnerability, an attacker must either be able to modify DNS responses in order to redirect update traffic to their machine, or already be in a privileged position on the network where interception of traffic is possible, when an end user initiates an update.
Once exploited, an attacker can execute arbitrary code on the end-user machine with administrator/root privileges. Likewise, end users themselves can leverage this exploit to obtain privilege escalation on their own machines.
Akamai recommends immediate upgrading to 2.0.1 or later. Effective immediately, all versions prior to 2.0.1 are deprecated, and Akamai will commence working with customers to retire these vulnerable prior versions.
Akamai wishes to thank Tesla for responsibly disclosing this issue.