SYT-2022-5: Remote code execution vulnerability in configuration restore functionality of Secure Integration Server

Publisher: Softing Industrial Automation GmbH Document category: csaf_security_advisory
Initial release date: 2022-07-27T10:00:00.000Z Engine: Secvisogram .2.2.15
Current release date: 2023-11-29T09:07:56.365Z Build Date: 2023-11-29T09:07:56.365Z
Current version: 2.0.0 Status: final
CVSSv3.1 Base Score: 7.2 Severity: high
Original language: en-US Language:
Also referred to:

Vulnerabilities

(CVE-2022-2334)

The application searches for a library 'Windows\System32\wbem\wbemcomn.dll' and it is not found. An attacker can drop a dll with this name and leverage it to execute arbitrary code on the target system.

CWE: CWE-427:Uncontrolled Search Path Element
Discovery date: 2022-05-10T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing Secure Integration Server <= V1.22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2
Fixed

Remediations

Mitigation

Administrative access to Windows machine is needed for the attack.

For products:

Acknowledgments

(CVE-2022-1373)

The restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file c:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.

CWE: CWE-23:Relative Path Traversal
Discovery date: 2022-05-09T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing Secure Integration Server <= V1.22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2
Fixed

Remediations

Mitigation

Administrator access to the configuration UI is needed for the attack.

For products:

Acknowledgments

(CVE-2022-2338)

The server is vulnerable to authentication bypass via man in the middle attack (mitm). The mitm attack is possible because by default the administration interface is accessible via plaintext HTTP protocol over port 8099. The scenario being presented is as follows. Administrator Bob (192.168.1.10) is logged in to a server (192.168.1.20) and there is a network adjacent hacker Alice (192.168.1.30). After Bob has logged in to the server he will not click or take any actions. Alice launches a standard ARP spoofing attack against Bob and the server. The traffic between Bob and Triangle then begins flowing through Alice's device. The browser receives a heartbeat from the server every few seconds with some status information including the server's health. Since Alice is intercepting this traffic in the clear she accesses it and steals the session during the heartbeat. This HTTP request will contain the session cookie in the request which Alice captures and can use to authenticate to the server herself, concluding the auth bypass portion of the attack chain.

CWE: CWE-319:Cleartext Transmission of Sensitive Information
Discovery date: 2022-05-09T10:00:00.000Z

Product status

Known affected
Product CVSS-Vector CVSS Base Score
Softing Secure Integration Server <= V1.22 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 5.7
Fixed

Remediations

Workaround

Disable the HTTP Server in NGINX configuration of the SIS and only use the HTTPS server.

For products:

Acknowledgments

Softing Industrial Automation GmbH

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at [email protected]

Revision history

Version Date of the revision Summary of the revision
1.0.0 2022-07-27T10:00:00.000Z Initial version
2.0.0 2023-11-29T09:07:56.365Z Fix for Secure Integration Server

Disclaimer

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.