Full Report
Remote exploitation of discovered vulnerabilities lead to full compromise the system with Saperion webclient.
Analysis Summary
# Vulnerability: Saperion Web Client Multiple Vulnerabilities (RCE)
## CVE Details
- **CVE ID:** CVE-2018-6292
- **CVSS Score:** 9.8 (Critical)
- *Note: The CVSS vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H equates to 9.8, despite the article text's literal "0.0" typo.*
- **CWE:** Improper Input Validation / Remote Code Execution (RCE)
## Affected Systems
- **Products:** SAPERION Web Client
- **Versions:** Version 7.5.2 (Build 83166)
- **Configurations:** Web server deployments on both Windows and Linux operating systems.
## Vulnerability Description
The SAPERION Web Client contains multiple vulnerabilities that permit remote code execution. The flaw allows an unauthenticated attacker to send specially crafted requests to the web server, resulting in the execution of arbitrary commands. On Windows-based systems, commands are executed with **SYSTEM** privileges; on Linux-based systems, they are executed with **www-data** privileges.
## Exploitation
- **Status:** Unknown (No public PoC listed in the advisory, but technical details are documented).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to data and system files)
- **Integrity:** High (Ability to modify system configuration and application data)
- **Availability:** High (Potential for complete system shutdown or service disruption)
## Remediation
### Patches
- **None Available:** As of the advisory date, the vendor (Saperion/Lexmark) has reportedly **refused** to release a security patch for these vulnerabilities.
### Workarounds
Given the lack of official patches, the following mitigations are recommended:
- **Network Segmentation:** Restrict access to the vulnerable web application from the Internet and from networks adjacent to ICS/SCADA environments.
- **Web Application Firewall (WAF):** Implement a WAF to inspect incoming traffic and block malicious payloads targeting the web client.
- **Access Control:** Enforce strict IP whitelisting for users who require access to the Saperion interface.
## Detection
- **Intrusion Detection Systems (IDS):** Use IDS signatures to monitor for anomalous traffic patterns directed at the SAPERION web server.
- **Log Analysis:** Audit web server access logs for unusual command execution attempts or non-standard requests targeted at the web client’s binaries/scripts.
- **Endpoint Monitoring:** Monitor for unexpected child processes spawned by the web server process (e.g., `cmd.exe` or `/bin/sh`).
## References
- **Kaspersky ICS CERT Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/02/09/klcert-18-001-saperion-webclient-multiple-vulnerabilities-remote-code-execution-with-system-user-privileges-in-saperion-web-client/
- **NVD CVE-2018-6292:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-6292