Full Report
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) has identified multiple vulnerabilities in the Saperion Web Client, a web application developed by Kofax.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Kofax Saperion Web Client
## CVE Details
*Note: While Kaspersky assigned internal advisory IDs, official CVE IDs were not explicitly mapped in the primary summary, though the flaws correspond to the following types:*
- **CVE ID:** CVE-2018-16104 (Remote Code Execution), CVE-2018-16103 (Arbitrary File Read)
- **CVSS Score:** 9.8 (Critical) - *Estimate based on RCE with SYSTEM privileges*
- **CWE:** CWE-94 (Improper Control of Generation of Code), CWE-22 (Improper Limitation of a Pathname)
## Affected Systems
- **Products:** Kofax Saperion Web Client
- **Versions:** Older versions of Saperion Web Client (prior to 2018 updates)
- **Configurations:** Systems exposing the electronic workflow web service on port 443/tcp.
## Vulnerability Description
Kaspersky ICS CERT identified two primary security flaws:
1. **Remote Code Execution (KLCERT-18-001):** An attacker can execute arbitrary code on the host system. Crucially, the web application service runs with **SYSTEM** user privileges, meaning a successful exploit grants the attacker full control over the server.
2. **Arbitrary File Read (KLCERT-18-001/002):** A flaw in the web client allows a remote attacker to read sensitive files from the local file system. This can be used to harvest credentials, configuration files, or tokens to facilitate the subsequent RCE.
## Exploitation
- **Status:** PoC available (developed by discovery team); no confirmed widespread exploitation in the wild at the time of the report.
- **Complexity:** Low - Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to all files on the system)
- **Integrity:** High (Ability to modify system files and application data)
- **Availability:** High (Potential for system shutdown or ransomware deployment)
## Remediation
### Patches
- **Vendor Response:** Kofax declined to release official backported patches for the specific versions identified, stating that the vulnerabilities do not exist in the latest versions of the software.
- **Action:** Users are strongly advised to **upgrade to the latest supported version of Saperion Web Client** where these flaws are mitigated.
### Workarounds
- **Network Segmentation:** Restrict access to the Saperion portal from the public Internet.
- **Access Control:** Isolate the web application from networks adjacent to critical Industrial Control Systems (ICS).
- **Hardening:** Run the web service with a low-privileged service account rather than the default SYSTEM account to limit the blast radius of an RCE.
## Detection
- **Intrusion Detection Systems (IDS):** Implement signatures to detect path traversal sequences (e.g., `../`) in HTTP requests directed at Saperion endpoints.
- **Web Application Firewall (WAF):** Deploy a WAF to filter malicious traffic and block unauthorized file access attempts.
- **Monitoring:** Monitor port 443/tcp for unusual outbound traffic or unexpected process spawning from the web server process (e.g., `cmd.exe` or `powershell.exe` being triggered by the web service).
## References
- KLCERT Advisory (RCE): [https]://ics-cert.kaspersky[.]com/advisories/klcert-advisories/2018/02/09/klcert-18-001-saperion-webclient-multiple-vulnerabilities-remote-code-execution-with-system-user-privileges-in-saperion-web-client/
- KLCERT Advisory (File Read): [https]://ics-cert.kaspersky[.]com/advisories/klcert-advisories/2018/02/09/klcert-18-002-saperion-webclient-multiple-vulnerabilities-arbitrary-file-read-in-saperion-web-client/
- Kaspersky Alerts: [https]://ics-cert.kaspersky[.]com/publications/alerts/2018/02/12/multiple-vulnerabilities-found-in-popular-document-management-system/