Full Report
Remote exploitation of discovered vulnerabilities lead to full compromise the system with Saperion webclient.
Analysis Summary
# Vulnerability: Saperion Web Client Arbitrary File Read
## CVE Details
- **CVE ID:** CVE-2018-6293
- **CVSS Score:** 7.5 (High) - *Note: While the source text displays 0.0, the provided vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) calculates to 7.5.*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Arbitrary File Read)
## Affected Systems
- **Products:** SAPERION Web Client
- **Versions:** Version 7.5.2 83166
- **Configurations:** Systems with the Saperion Web Client exposed to network traffic.
## Vulnerability Description
The Saperion Web Client contains a security flaw that allows for an arbitrary file read. An unauthenticated remote attacker can exploit this vulnerability to bypass directory restrictions and access sensitive information stored on the host filesystem. This is typically achieved by sending a specially crafted request to the web application that references files outside of the intended web root directory.
## Exploitation
- **Status:** Existence of exploit unknown (as of advisory date)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Unauthenticated access to arbitrary system files)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **No Path Available:** The vendor (Saperion) reportedly refused to release a security patch for this vulnerability as of January 11, 2018.
### Workarounds
- **Network Segmentation:** Restrict access to the vulnerable web application from the public Internet and from networks adjacent to Industrial Control System (ICS) networks.
- **WAF Deployment:** Implement a Web Application Firewall (WAF) to filter and block malicious requests attempting path traversal or unauthorized file access.
- **Access Control:** Implement strict IP-based access control lists (ACLs) to ensure only authorized workstations can communicate with the Saperion Web Client.
## Detection
- **Indicators of Compromise:** Unusual GET requests containing directory traversal sequences (e.g., `../`, `..\`, or encoded equivalents) targeting the web client.
- **Detection methods and tools:**
- Use an Intrusion Detection System (IDS) with signatures for directory traversal.
- Monitor web server access logs for 200 OK responses to requests for sensitive system files (e.g., `/etc/passwd`, `web.config`, or boot configuration files).
## References
- **Kaspersky ICS CERT Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/02/09/klcert-18-002-saperion-webclient-multiple-vulnerabilities-arbitrary-file-read-in-saperion-web-client/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-6293