The first critical bug patched is tracked as CVE-2022-31706 and is described as a directory traversal vulnerability that malicious actors can exploit to inject files into the operating system of impacted appliances to achieve remote code execution. A directory traversal vulnerability with a CVSS score of 9.8 out of 10. Directory or path traversal flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. In this case, an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance.
The second (tracked as CVE-2022-31704) is a broken access control flaw that can also be abused to gain remote code execution on vulnerable appliances by injecting maliciously crafted files. A broken access control vulnerability which also has a CVSS score of 9.8. It allows an unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution. Access control intention is to enforce policies which make sure that users cannot act outside of their intended permissions.
“This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system,” said Horizon3 Attack Team researchers.
If you have any support please contact follow email itm@it-management.vn or hotline 1900 9450
