| Publisher: Softing Industrial Automation GmbH | Document category: csaf_security_advisory |
| Initial release date: 2022-07-27T10:00:00.000Z | Engine: Secvisogram .2.2.15 |
| Current release date: 2023-11-29T09:07:56.365Z | Build Date: 2023-11-29T09:07:56.365Z |
| Current version: 2.0.0 | Status: final |
| CVSSv3.1 Base Score: 7.2 | Severity: high |
| Original language: en-US | Language: |
| Also referred to: | |
The application searches for a library 'Windows\System32\wbem\wbemcomn.dll' and it is not found. An attacker can drop a dll with this name and leverage it to execute arbitrary code on the target system.
| CWE: | CWE-427:Uncontrolled Search Path Element |
|---|---|
| Discovery date: | 2022-05-10T10:00:00.000Z |
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| Softing Secure Integration Server <= V1.22 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 |
Administrative access to Windows machine is needed for the attack.
The restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file c:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.
| CWE: | CWE-23:Relative Path Traversal |
|---|---|
| Discovery date: | 2022-05-09T10:00:00.000Z |
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| Softing Secure Integration Server <= V1.22 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 |
Administrator access to the configuration UI is needed for the attack.
The server is vulnerable to authentication bypass via man in the middle attack (mitm). The mitm attack is possible because by default the administration interface is accessible via plaintext HTTP protocol over port 8099. The scenario being presented is as follows. Administrator Bob (192.168.1.10) is logged in to a server (192.168.1.20) and there is a network adjacent hacker Alice (192.168.1.30). After Bob has logged in to the server he will not click or take any actions. Alice launches a standard ARP spoofing attack against Bob and the server. The traffic between Bob and Triangle then begins flowing through Alice's device. The browser receives a heartbeat from the server every few seconds with some status information including the server's health. Since Alice is intercepting this traffic in the clear she accesses it and steals the session during the heartbeat. This HTTP request will contain the session cookie in the request which Alice captures and can use to authenticate to the server herself, concluding the auth bypass portion of the attack chain.
| CWE: | CWE-319:Cleartext Transmission of Sensitive Information |
|---|---|
| Discovery date: | 2022-05-09T10:00:00.000Z |
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| Softing Secure Integration Server <= V1.22 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 5.7 |
Disable the HTTP Server in NGINX configuration of the SIS and only use the HTTPS server.
Namespace: https://industrial.softing.com
Softing PSIRT - contact us at [email protected]
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2022-07-27T10:00:00.000Z | Initial version |
| 2.0.0 | 2023-11-29T09:07:56.365Z | Fix for Secure Integration Server |
The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.