TIM Green

Un insieme di iniziative per migliorare l’efficienza ambientale dei nostri prodotti, dall’utilizzo di materiali sostenibili alla riduzione dei consumi energetici. Approfondisci

Ultimi Comunicati Stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM

TIM e le persone LGBT+: le vie dell'inclusione

La presenza ai Pride, la collaborazione con Parks, la storia di Valentina, prima moglie LGBT+ e poi mamma. Leggi di più

La vita sulla nuvola di TIM

Il cloud permette a chiunque di accedere alla massima capacità informatica. Una tecnologia che apre la strada a infinite soluzioni e applicazioni. Leggi di più

Vulnerability Research & Advisor

Finalità e modalità operative

Nell’ambito delle attività di Cybersecurity di TIM, è stato costituito un gruppo di lavoro dedicato all’esecuzione di Security Assessment (Red Team), che si occupa di analizzare software sviluppato on-demand, software di mercato e firmware.

Tra gli obiettivi del team c’è quello di rilevare le vulnerabilità che un potenziale attaccante potrebbe sfruttare per eseguire degli attacchi informatici verso le infrastrutture di TIM ed evidenziarne gli impatti reali rilevati.

L’attività non si limita alla sola verifica delle vulnerabilità note, ma include un’attività di ricerca specifica con l’obiettivo di scoprire eventuali nuove vulnerabilità non ancora conosciute pubblicamente (vulnerabilità 0day).

Qualora vengano rilevate vulnerabilità 0day, si procede con una “divulgazione responsabile” verso il produttore del prodotto analizzato, comunicandogli prontamente e in via confidenziale le vulnerabilità scoperte, in modo che possa replicarle e produrre una contromisura (patch) entro 90 giorni dalla notifica ricevuta.

In seguito al rilascio della contromisura (patch), oppure trascorsi i 90 giorni dalla segnalazione, si procede alla pubblicazione, classificando le vulnerabilità sul Mitre (CVE, Common Vulnerabilities and Exposures).

Analoghe azioni vengono intraprese nell’ambito dei processi di Security Testing e Gestione Incidenti (Incident Handling) di TIM, qualora portino a scoprire vulnerabilità non ancora note al produttore e alla comunità.

CVE-2021-31540 - WOWZA Streaming Engine

Vulnerability Description: CWE-732: Incorrect Permission Assignment for Critical Resource
Software Version: < 4.8.5
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-31540
CVSv3
Severity: 
Credits
: Francesco Giordano, Massimiliano Brolli

Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

Figure 1: File permissions

Click here to enlarge the image

CVE-2021-31539 - WOWZA Streaming Engine

Vulnerability Description: CWE-312: Cleartext Storage of Sensitive Information
Software Version: < 4.8.5
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-31539
CVSv3
Severity: 
Credits
: Francesco Giordano, Massimiliano Brolli

Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

Figure 1: File permissions

Click here to enlarge the image

CVE-2021-29661 – Softing AG OPC Toolbox

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29661
CVSv3: 5.4
Severity: Medium
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

Softing AG OPC Toolbox version 4.10.1.13035 allows /en/diag_values.html Stored XSS on ITEMLISTVALUES##ITEMID parameter. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into the trace file. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

After logging in to the application with a valid user, the full request is shown on the left

Figure 1: Full HTTP request

Click here to enlarge the image

The malicious payload is: “><script>alert(‘XSS’)</script>

The JavaScript code is executed when the victim user navigates the tab “Diagnostic/Trace”fff

Figure 2: XSS on response page

Click here to enlarge the image

CVE-2021-29660 – Softing AG OPC Toolbox

Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29660
CVSv3: 8.8
Severity: High
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

A Cross-Site Request Forgery (CSRF) vulnerability in Softing AG OPC Toolbox version 4.10.1.13035 and earlier allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.

Create and serve a web page containing the following HTML code shown on the left.

Figure 1: HTML code for CSRF victim

Click here to enlarge the image

The authenticated administrator browses the page configured by the attacker. The password reset request is made to the web application, using the admin's browsing session.

Figure 2: The page is served on the attacker system and requested by the victim

Click here to enlarge the image

The password of the "Administrator" user is reset successfully

Figure 3: CSRF password reset request executed successfully

Click here to enlarge the image

CVE-2021-28250 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via SUID/GUID file - CWE-250
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28250
CVSv3: 7.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user.

CVE-2021-28249 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28249
CVSv3: 8.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user.

CVE-2021-28248 – CA eHealth Performance Manager

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts - CWE-307
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28248
CVSv3: 7.5
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account.

CVE-2021-28247 – CA eHealth Performance Manager

Vulnerability Description: Multiple Reflected Cross-site Scripting - CWE-79
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28247
CVSv3: 5.4
Severity: Medium
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText.

CVE-2021-28246 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28246
CVSv3: 7.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. A regular user must create a malicious library in the writable RPATH, to be dynamically linked when the emtgtctl2 executable is run. The code in the library will be executed as the ehealth user.

CVE-2021-26597 – NOKIA NetAct

Vulnerability Description: Unrestricted Upload of File with Dangerous Type - CWE-434
Software Version: NOKIA NetAct 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-26597
CVSv3: 6.5
Severity: Medium
Credits
: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.

 

CVE-2021-26596 – NOKIA NetAct

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: NOKIA NetAct 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-26596
CVSv3: 5.4
Severity: Medium
Credits
: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.

CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description: URL Redirection to Untrusted Site ('Open Redirect')
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-2005
Oracle Credits CPU 2021: https://www.oracle.com/security-alerts/cpujan2021.html
CVSv3: 4.7
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts (Rate Limit Bypass on login page)
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NIST
https://nvd.nist.gov/vuln/detail/CVE-2020-35590
CVSv3: 9.8
Severity: Critical
Credits
: Veno Eivazian

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.

CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-35589
CVSv3: 5.4
Severity: Medium
Credits
: Veno Eivazian

The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.

CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer

Vulnerability Description: Windows Unquoted Search Path
Software Version: Schneider Electric StruxureWare Building Operation Enterprise Server Installer versions 1.0 – 3.1 and Enterprise Central Installer versions 2.0 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-28209
CVSv3: 7.0
Severity: High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.

CVE-2020-27583 – IBM InfoSphere Information Server

Vulnerability Description: CWE-502: Deserialization of Untrusted Data
Software Version: IBM InfoSphere Information Server 8.5.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-27583
CVSv3: 9.8
Severity: Critical
Credits
: Damiano Proietti, Davide De Rubeis, Matteo Brutti, Alessandro Sabetta, Massimiliano Brolli

IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code.

CVE-2020-17458 – MultiUX

Vulnerability Description: Stored Xss
Software Version: 3.1.12.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17458
CVSv3: 5.4
Severity
: Medium
Credits:
 Francesco Giordano, Sebastiano Lanzarotto, Francesco Pigini, Massimiliano Brolli

Multiple XSS were found in MultiUX, almost every parameter in the mailbox creation page is vulnerable to stored XSS.

CVE-2020-17457 – Fujitsu ServerView Suite iRMC

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: Fujitsu ServerView Suite iRMC v8.08F
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17457
CVSv3: 5.4
Severity
: Medium
Credits:
 Damiano Proietti, Stefano Scipioni, Massimiliano Brolli

Fujitsu ServerView Suite iRMC before 9.62F allows ‘/54?ms=9&lang=0&sid=’ XSS on PSCU_FILE_INIT parameter. A malicious user can insert a malicious payload in the XML configuration file. After selecting ‘Save Configuration’, the payload is triggered in the error response page, which is then reflected to the user and executed by the web browser.

The full request is the following:

Figure 1: The full HTTP request

Click here to enlarge the image

The JavaScript code is executed when the error message is displayed:

Figure 2: XSS on error message

Click here to enlarge the image

CVE-2020-15794 – Siemens Desigo Insight

Vulnerability Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15794
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.

The following URL is enough to trigger the vulnerability:

  • http://[IP]:[PORT]/desigo/plant-viewer.aspx?page=[NON-EXISTENT PAGE]

Figure 1: if the requested file doesn't exist, the application returns the full path it searched in

Click here to enlarge the image

CVE-2020-15793 – Siemens Desigo Insight

Vulnerability Description: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15793
CVSv3: 4.5
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.

CVE-2020-15792 – Siemens Desigo Insight

Vulnerability Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15792
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The web service does not properly apply input validation for the ID query parameter in a reserved area on the following URL

  • http://[IP]:[PORT]/desigo/lv-proprierties.aspx?id=[ID][SQL expression]

This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack, using for example the following payloads:

Figure 1: true condition returns the object 465587

For a “true” response:

id=465587%20and%20%20%27asd%27=%27asd%27%20—

Click here to enlarge the image

Figure 2: false condition returns an error on the index

For a “false” response:

id=465587%20and%20%20%27asd%27=%27xxx%27%20—

Click here to enlarge the image

CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14843
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3: 7.1
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description:

  • Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
  • Unrestricted Upload of File with Dangerous Type

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14842
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3:
8.2
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Multiple vulnerabilities in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data

CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description:

  • Cross-site scripting stored
  • Cross-site scripting

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14690
CVSv3: 8.2
Severity
: High
Credits:
Alessandro Bosco, Edoardo Predieri, Fabio Minarelli, Francesco Russo, Luca Di Giuseppe, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-12081 – FlexNet Publisher

Vulnerability Description:

Improper Limitation of a Pathname to a Restricted Directory ('Full Path Traversal') - CWE-22

Software Version: FlexNet Publisher 11.12.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-12081
CVSv3: 7.5
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Step-by-step instructions and PoC

A remote user, authenticated to FlexNet Publisher License Administrator, is able to define an arbitrary full path name where to save the application logs. By using the functionality of "view logs" the attacker can access the content of the previous specified file.

Affected Endpoints:

  • URL: http://hostname/vendor
  • Parameter: logFile
  • Function: Change log path and name

Below are the evidences with the vulnerability details and the payloads used.

The HTTP request used by the attacker to change the full path name of the logs to win.ini (click here to enlarge the image)

Using the function of "view logs" the malicious user can access to the previously specified file (click here to enlarge the image)

Security Impact

By exploiting this issue an attacker is able to read arbitrary file from file system of the target server.

CVE-2020-9050 – Johnson Controls Metasys MREWeb Service

Vulnerability Description: CWE-22: Full Path Traversal
Software Version: Johnson Controls Metasys MREWeb Service 9.0.0.4256
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-9050
CVSv3: 7.5
Severity: High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Stefano Scipioni, Massimiliano Brolli

A remote non-authenticated attacker can define an arbitrary full path name while using the web resource /MREService/Download.aspx. By using this functionality, an attacker can download arbitrary files from the system.

CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Access Control
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7573
CVSv3: 6.5
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

A remote non-authenticated attacker is able to access a restricted web resource due to improper access control.

CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Restriction of XML External Entity Reference
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7572
CVSv3: 8.8
Severity:
High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

A remote user, authenticated to Building Operation WebReports, is able to inject arbitrary XML code containing a reference to an external entity via a crafted HTTP request into the server-side XML parser without being sanitized. By exploiting this vulnerability, an attacker can access the contents of a file on the system potentially containing sensitive data, other restricted web resources via server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts like a denial of service.

CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Reflected)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7571
CVSv3: 5.4
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.

CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7570
CVSv3: 5.4
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.

CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: VAM: Schneider Electric StruxureWare Building Operation WebReports versions 1.0 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7569
CVSv3: 8.8
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.

CVE-2020-2505 – QNAP QES

Vulnerability Description: Information Disclosure
Software Version: QES 2.0.0
NIST:
https://nvd.nist.gov/vuln/detail/CVE-2020-2505
CVSv3: 2.3
Severity: Low
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

In QNAP QES 2.0.0 there is a vulnerability that allows an attacker to exploit a type confusion to find information on the platform.

CVE-2020-2504 – QNAP QES

Vulnerability Description: Arbitrary File Download
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2504
CVSv3: 7.5
Severity: High
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

A vulnerability was found in QNAP QES 2.0 that allows authenticated attacker to escape the webroot and download file of the NAS. The vulnerability resides in the download functionality.

CVE-2020-2503 – QNAP QES

Vulnerability Description: Stored XSS via Arbitrary File upload
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2503
CVSv3: 5.4
Severity: Medium
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

A vulnerability was found in QNAP QES 2.0 that If exploited, vulnerability could allow remote attackers to inject malicious code in File Station. The vulnerability resides in the upload functionality that doesn’t perform the correct sanitization.

CVE-2019-19994 - Selesta Visual Access Manager

Vulnerability Description: OS Command Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19994
CVSv3: 9.8
Severity: Critical
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary operating system command by injecting a HTTP/POST parameter on the PHP Web page.

CVE-2019-19993 - Selesta Visual Access Manager

Vulnerability Description: Multiple Full Path Disclosure Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19993
CVSv35.3
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

This server is configured to display PHP error messages. One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.

CVE-2019-19992 - Selesta Visual Access Manager

Vulnerability Description: Arbitrary file read Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19992
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be read. Thus, an attacker can manipulate the file name to access any sensitive file within the filesystem.

CVE-2019-19991 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS reflected Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19991
CVSv3: 5.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Reflected (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into almost any HTTP/GET-POST parameter which reflect the user input without sanitization.

CVE-2019-19990 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS Stored Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19990
CVSv35.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Stored (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into some HTTP/GET-POST parameter which reflect the user input stored on the system. 

CVE-2019-19989 - Selesta Visual Access Manager

Vulnerability Description: Multiple Broken Access Control Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19989
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Access control (authorization) determines which users can interact with systems and resources within the Web interface. When access control is broken, users could send unauthorized requests to the application. Unauthorized access to system functionality and resources creates an exploitable weakness that opens your company to harmful and potentially expensive outcomes.

CVE-2019-19988 – Selesta Visual Access Manager

Vulnerability Description: Arbitrary file write Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19988
CVSv38.8
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to create and write XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be created. Thus, an attacker can manipulate the file name to create any type of file within the filesystem.

CVE-2019-19987 - Selesta Visual Access Manager

Vulnerability Description: Multiple Cross-Site request forgery pre authentication
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19987
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which he is currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. This vulnerability has been found in several page. An attacker can exploit it in functionalities such as change password, add user, add privileges and so on.

CVE-2019-19986 - Selesta Visual Access Manager

Vulnerability Description: SQL Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19986
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary SQL statements by injecting the HTTP/POST-GET parameter in the PHP Web page.

CVE-2019-19456 - WOWZA Streaming Engine

Vulnerability Description: Pre-Auth Cross Site Scripting
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19456
CVSv3: 6.1
Severity: Medium

Credits: Francesco Giordano, Massimiliano Brolli

A Reflected XSS was found in the server selection box inside the login page at:
http://[host]/enginemanager/loginfailed.html

CVE-2019-19455 - WOWZA Streaming Engine

Vulnerability Description: Local Privilege Escalation
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19455
CVSv3: 7.8
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

A local privilege escalation was found in the Linux Version of the server. A user can write arbitrary command in every file in /usr/local/WowzaStreamingEngine/manager/bin/ since they are writable by anyone and executed at boot or stop of the server as root.

CVE-2019-19454 - WOWZA Streaming Engine

Vulnerability Description: Arbitrary File Download
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19454
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

An arbitrary file download was found in the "Download Log" functionality at
https://[host]/enginemanager/server/logs/download

CVE-2019-19453 - WOWZA Streaming Engine

Vulnerability Description: Stored XSS
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19453
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli

An authenticated user, with access to the proxy license editing is able insert a malicious payload that will be triggered in the main page of server settings.

CVE-2019-17406 - NOKIA IMPACT

Vulnerability Description: Path Traversal
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17406
CVSv3: 5.3
Severity: Medium
Credits:
 Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to save file in arbitrary positions on the filesystem. This vulnerability was found in a feature of the system that allows to load multiple devices by uploading a properly formatted CSV file.

The filename parameter is vulnerable to a path traversal vulnerability, indeed naming the file as a relative path an attacker is able to save it in an arbitrary position on the filesystem (e.g. ../../../../../../../tmp/myfile.csv)

Click here to enlarge the image.

CVE-2019-17405 - NOKIA IMPACT

Vulnerability Description: Cross Site Scripting
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17405
CVSv36.1
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

A Reflected Self Reflected Cross Site Scripting was found in the Manual Page of Nokia CDP at https://[host]/ui/help/en_US/[redacted]ConsoleHelp/index

The payload used is shown on the left (click here to enlarge the image).

There is a filter in the input that removes the . but we managed to bypass it accessing cookie as key of document.

CVE-2019-17404 - NOKIA IMPACT

Vulnerability Description: Full Path Disclosure
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17404
CVSv34.3
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to leak the full path of the installation. In particular, the massive device upload feature (devceimport) releases detailed information about the location where the files are saved within the application filesystem.

If the path traversal is exploited to point to a non-existent path the application will throw an unhandled exception, leaking the full path of where the files are saved (Full path disclosure)

Click here to enlarge image.

CVE-2019-17403 - NOKIA IMPACT

Vulnerability Description: Unrestricted File Upload
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17403
CVSv3: 8.8
Severity: High

Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to upload files with arbitrary extensions.

The deviceImport function parses every file received with a csv_parse function. We managed to load a non-csv file adding at the beginning of it the following line followed by our payload.

We uploaded PHP Webshell in a path served by Apache (in our case /opt/[redacted]/5/) and got code execution as apache user.

Click here to enlarge image.