TIM Green

Un insieme di iniziative per migliorare l’efficienza ambientale dei nostri prodotti, dall’utilizzo di materiali sostenibili alla riduzione dei consumi energetici. Approfondisci

Ultimi Comunicati Stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM

TIM e le persone LGBT+: le vie dell'inclusione

La presenza ai Pride, la collaborazione con Parks, la storia di Valentina, prima moglie LGBT+ e poi mamma. Leggi di più

La vita sulla nuvola di TIM

Il cloud permette a chiunque di accedere alla massima capacità informatica. Una tecnologia che apre la strada a infinite soluzioni e applicazioni. Leggi di più

Vulnerability Research & Advisor

Finalità e modalità operative

Nell’ambito delle attività di Cybersecurity di TIM, è stato costituito un gruppo di lavoro dedicato all’esecuzione di Security Assessment (Red Team), che si occupa di analizzare software sviluppato on-demand, software di mercato e firmware.

Tra gli obiettivi del team c’è quello di rilevare le vulnerabilità che un potenziale attaccante potrebbe sfruttare per eseguire degli attacchi informatici verso le infrastrutture di TIM ed evidenziarne gli impatti reali rilevati.

L’attività non si limita alla sola verifica delle vulnerabilità note, ma include un’attività di ricerca specifica con l’obiettivo di scoprire eventuali nuove vulnerabilità non ancora conosciute pubblicamente (vulnerabilità 0day).

Qualora vengano rilevate vulnerabilità 0day, si procede con una “divulgazione responsabile” verso il produttore del prodotto analizzato, comunicandogli prontamente e in via confidenziale le vulnerabilità scoperte, in modo che possa replicarle e produrre una contromisura (patch) entro 90 giorni dalla notifica ricevuta.

In seguito al rilascio della contromisura (patch), oppure trascorsi i 90 giorni dalla segnalazione, si procede alla pubblicazione, classificando le vulnerabilità sul Mitre (CVE, Common Vulnerabilities and Exposures).

Analoghe azioni vengono intraprese nell’ambito dei processi di Security Testing e Gestione Incidenti (Incident Handling) di TIM, qualora portino a scoprire vulnerabilità non ancora note al produttore e alla comunità.

CVE-2020-17458 – MultiUX

Vulnerability Description: Stored Xss
Software Version: 3.1.12.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17458
CVSv3: 5.4
Severity
: Medium
Credits:
 Francesco Giordano, Sebastiano Lanzarotto, Francesco Pigini, Massimiliano Brolli

Multiple XSS were found in MultiUX, almost every parameter in the mailbox creation page is vulnerable to stored XSS.

CVE-2020-15794 – Siemens Desigo Insight

Vulnerability Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15794
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.

The following URL is enough to trigger the vulnerability:

  • http://[IP]:[PORT]/desigo/plant-viewer.aspx?page=[NON-EXISTENT PAGE]

Figure 1: if the requested file doesn't exist, the application returns the full path it searched in

Click here to enlarge the image

CVE-2020-15793 – Siemens Desigo Insight

Vulnerability Description: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15793
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.

CVE-2020-15792 – Siemens Desigo Insight

Vulnerability Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15792
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The web service does not properly apply input validation for the ID query parameter in a reserved area on the following URL

  • http://[IP]:[PORT]/desigo/lv-proprierties.aspx?id=[ID][SQL expression]

This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack, using for example the following payloads:

Figure 1: true condition returns the object 465587

For a “true” response:

id=465587%20and%20%20%27asd%27=%27asd%27%20—

Click here to enlarge the image

Figure 2: false condition returns an error on the index

For a “false” response:

id=465587%20and%20%20%27asd%27=%27xxx%27%20—

Click here to enlarge the image

CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition di Oracle Fusion Middleware

Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14843
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3: 7.1
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description:

  • Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
  • Unrestricted Upload of File with Dangerous Type

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14842
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3:
8.2
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Multiple vulnerabilities in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data

CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition di Oracle Fusion Middleware

Vulnerability Description:

  • Cross-site scripting stored
  • Cross-site scripting

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14690
CVSv3: 8.2
Severity
: High
Credits:
Alessandro Bosco, Edoardo Predieri, Fabio Minarelli, Francesco Russo, Luca Di Giuseppe, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-12081 – FlexNet Publisher

Vulnerability Description:

Improper Limitation of a Pathname to a Restricted Directory ('Full Path Traversal') - CWE-22

Software Version: FlexNet Publisher 11.12.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-12081
CVSv3: 7.5
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Step-by-step instructions and PoC

A remote user, authenticated to FlexNet Publisher License Administrator, is able to define an arbitrary full path name where to save the application logs. By using the functionality of "view logs" the attacker can access the content of the previous specified file.

Affected Endpoints:

  • URL: http://hostname/vendor
  • Parameter: logFile
  • Function: Change log path and name

Below are the evidences with the vulnerability details and the payloads used.

The HTTP request used by the attacker to change the full path name of the logs to win.ini (click here to enlarge the image)

Using the function of "view logs" the malicious user can access to the previously specified file (click here to enlarge the image)

Security Impact

By exploiting this issue an attacker is able to read arbitrary file from file system of the target server.

CVE-2019-19994 - Selesta Visual Access Manager

Vulnerability Description: OS Command Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19994
CVSv3: 9.8
Severity: Critical
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary operating system command by injecting a HTTP/POST parameter on the PHP Web page.

CVE-2019-19993 - Selesta Visual Access Manager

Vulnerability Description: Multiple Full Path Disclosure Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19993
CVSv35.3
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

This server is configured to display PHP error messages. One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.

CVE-2019-19992 - Selesta Visual Access Manager

Vulnerability Description: Arbitrary file read Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19992
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be read. Thus, an attacker can manipulate the file name to access any sensitive file within the filesystem.

CVE-2019-19991 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS reflected Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19991
CVSv3: 5.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Reflected (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into almost any HTTP/GET-POST parameter which reflect the user input without sanitization.

CVE-2019-19990 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS Stored Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19990
CVSv35.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Stored (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into some HTTP/GET-POST parameter which reflect the user input stored on the system. 

CVE-2019-19989 - Selesta Visual Access Manager

Vulnerability Description: Multiple Broken Access Control Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19989
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Access control (authorization) determines which users can interact with systems and resources within the Web interface. When access control is broken, users could send unauthorized requests to the application. Unauthorized access to system functionality and resources creates an exploitable weakness that opens your company to harmful and potentially expensive outcomes.

CVE-2019-19988 – Selesta Visual Access Manager

Vulnerability Description: Arbitrary file write Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19988
CVSv38.8
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to create and write XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be created. Thus, an attacker can manipulate the file name to create any type of file within the filesystem.

CVE-2019-19987 - Selesta Visual Access Manager

Vulnerability Description: Multiple Cross-Site request forgery pre authentication
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19987
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which he is currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. This vulnerability has been found in several page. An attacker can exploit it in functionalities such as change password, add user, add privileges and so on.

CVE-2019-19986 - Selesta Visual Access Manager

Vulnerability Description: SQL Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19986
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary SQL statements by injecting the HTTP/POST-GET parameter in the PHP Web page.

CVE-2019-19456 - WOWZA Streaming Engine

Vulnerability Description: Pre-Auth Cross Site Scripting
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19456
CVSv3: 6.1
Severity: Medium

Credits: Francesco Giordano, Massimiliano Brolli

A Reflected XSS was found in the server selection box inside the login page at:
http://[host]/enginemanager/loginfailed.html

CVE-2019-19455 - WOWZA Streaming Engine

Vulnerability Description: Local Privilege Escalation
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19455
CVSv3: 7.8
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

A local privilege escalation was found in the Linux Version of the server. A user can write arbitrary command in every file in /usr/local/WowzaStreamingEngine/manager/bin/ since they are writable by anyone and executed at boot or stop of the server as root.

CVE-2019-19454 - WOWZA Streaming Engine

Vulnerability Description: Arbitrary File Download
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19454
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

An arbitrary file download was found in the "Download Log" functionality at
https://[host]/enginemanager/server/logs/download

CVE-2019-19453 - WOWZA Streaming Engine

Vulnerability Description: Stored XSS
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19453
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli

An authenticated user, with access to the proxy license editing is able insert a malicious payload that will be triggered in the main page of server settings.

CVE-2019-17406 - NOKIA IMPACT

Vulnerability Description: Path Traversal
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17406
CVSv3: 5.3
Severity: Medium
Credits:
 Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to save file in arbitrary positions on the filesystem. This vulnerability was found in a feature of the system that allows to load multiple devices by uploading a properly formatted CSV file.

The filename parameter is vulnerable to a path traversal vulnerability, indeed naming the file as a relative path an attacker is able to save it in an arbitrary position on the filesystem (e.g. ../../../../../../../tmp/myfile.csv)

Click here to enlarge the image.

CVE-2019-17405 - NOKIA IMPACT

Vulnerability Description: Cross Site Scripting
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17405
CVSv36.1
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

A Reflected Self Reflected Cross Site Scripting was found in the Manual Page of Nokia CDP at https://[host]/ui/help/en_US/[redacted]ConsoleHelp/index

The payload used is shown on the left (click here to enlarge the image).

There is a filter in the input that removes the . but we managed to bypass it accessing cookie as key of document.

CVE-2019-17404 - NOKIA IMPACT

Vulnerability Description: Full Path Disclosure
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17404
CVSv34.3
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to leak the full path of the installation. In particular, the massive device upload feature (devceimport) releases detailed information about the location where the files are saved within the application filesystem.

If the path traversal is exploited to point to a non-existent path the application will throw an unhandled exception, leaking the full path of where the files are saved (Full path disclosure)

Click here to enlarge image.

CVE-2019-17403 - NOKIA IMPACT

Vulnerability Description: Unrestricted File Upload
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17403
CVSv3: 8.8
Severity: High

Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to upload files with arbitrary extensions.

The deviceImport function parses every file received with a csv_parse function. We managed to load a non-csv file adding at the beginning of it the following line followed by our payload.

We uploaded PHP Webshell in a path served by Apache (in our case /opt/[redacted]/5/) and got code execution as apache user.

Click here to enlarge image.