call
de
Lock Background
Raphael
Raphael Kuhn

calendar_month24/04/2024

CVEAdvisoryResponsible DisclosureExploit

Table of Contents

  1. Description
  2. Affected Products
  3. PoC
  4. Risk Information
  5. CVE ID
  6. Solution
  7. IOCs
  8. Acknowlegdements
  9. Disclosure Timeline

Description

LiveConfig® is a lightweight control panel software that aims to simplify server configuration and to care of reliable and safe operation.

The LiveConfig® software is prone to an unauthenticated path traversal vulnerability on the endpoint static in version < 2.5.2. Recent versions of LiveConfig® are not vulnerable to this issue. This allows an attacker to read data on the filesystem with the permissions of the 'liveconfig' user, which includes data from within LiveConfig® itself like customer data etc.

Affected Products

LiveConfig® < 2.5.2

PoC

curl -s -k -X $'GET' --path-as-is 'https://test.machine:8443/static///////../../../../etc/passwd'

Risk Information

DriveByte GmbH calculated a CVSS 4.0 score of 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N which is written out for better representation below:

Exploitability Metrics

Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirements (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)

Vulnerable System Impact Metrics

Confidentiality (VC): High (H)
Integrity (VI): None (N)
Availability (VA): None (N)

Subsequent System Impact Metrics

Confidentiality (SC): Low (L)
Integrity (SI): None (N)
Availability (SA): None (N)

CVE ID

CVE-2024-22851

Solution

The vulnerability has no hotfix. It is recommended to upgrade to a newer version of LiveConfig®. DriveByte GmbH recommends upgrading to the latest version of LiveConfig®. However, the issue is resolved in versions >=2.5.2 by removing the component static entirely.

IOCs

You could check the logs for calls to /static///////../../../../ to see if somebody tried to access files via this vulnerability.

Acknowlegdements

Our special thanks goes to the LiveConfig-Team for awesome collaboration and insanely fast reaction and response times.

Disclosure Timeline

2023/11/06 - Vendor Informed
2023/11/06 - Vendor checked the information and informed us that the vulnerability was unconsciously fixed at the 28.11.2017 in Commit 584a11418
2024/01/09 - CVE requested
2024/01/29 - CVE reserved
2024/01/31 - Advisory Published 2024/02/10 - Advisory adjusted