lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <PAVPR08MB9577019E544F96FF0DC3212389202@PAVPR08MB9577.eurprd08.prod.outlook.com>
Date: Tue, 19 Nov 2024 10:09:04 +0000
From: Weber Thomas via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc: Thomas Weber <t.weber@...erdanube.com>
Subject: [FD] St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH
 utnserver Pro

St. Pölten UAS 20241118-0
-------------------------------------------------------------------------------
                title| Multiple Stored Cross-Site Scripting
              product| SEH utnserver Pro
   vulnerable version| 20.1.22
        fixed version| 20.1.35
           CVE number| CVE-2024-11304
               impact| High
             homepage| https://www.seh-technology.com/
                found| 2024-05-24
                   by| P. Riedl, J. Springer, P. Chistè, D. Sagl, S. Vogt
                     | These vulnerabilities were discovery during research at
                     | St.Pölten UAS, supported and coordinated by CyberDanube.
                     |
                     | https://fhstp.ac.at | https://cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"We are SEH from Bielefeld - manufacturer of high-quality network solutions.
With over 35 years of experience in the fields of printing and networks, we
offer our customers a broad and high-level expertise in solutions for all types
of business environments."

Source: https://www.seh-technology.com/us/company/about-us.html

Vulnerable versions
-------------------------------------------------------------------------------
utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22


Vulnerability overview
-------------------------------------------------------------------------------
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
Different settings on the web interface of the device can be abused to store
JavaScript code and execute it in the context of a user's browser.


Proof of Concept
-------------------------------------------------------------------------------
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
The following snippet can be used to demonstrate, that stored cross-site
scripting is possible in multiple locations on the device:
"><script>alert(document.location)</script>

Examples are:
 * Users password: "usrMg_pwd"
   This can be displayed in cleartext and executed in the device configuration.
 * Certificate options: "Common name", "Organization name", "Locality name"
   This can be executed in the certificate information.
 * Device description: "Host name", "Contact person", "Description"
   This can be executed in "Device -> Description".
 * USB password via uploading a crafted "_parameters.txt" file: "usbMdg_pwd"
   This can be executed in the "Maintenance -> Content View" tab.


Saving this text to the device description leads to a persistent cross-site
scripting. Therefore, everyone who openes the device description executes the
injected code in the context of the own browser.


The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution
-------------------------------------------------------------------------------
Install firmware version 20.1.35 to fix the vulnerabilities.


Workaround
-------------------------------------------------------------------------------
None


Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to
the latest version available.


Contact Timeline
-------------------------------------------------------------------------------
2024-09-23: Contacting SEH Computertechnik and sent advisory to support.
            Support answered, that vulnerabilities are fixed in version
            20.1.35.
2024-10-21: Closed the issue and scheduled publication for November.
2024-11-18: Coordinated disclosure of advisory.

Web: https://www.fhstp.ac.at/
Twitter: https://x.com/fh_stpoelten
Mail: mis@...tp.ac.at

EOF T. Weber / @2024

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists