Advantech iView versions prior to 5.7.03.6112 suffer from an instance of "CWE-306: Missing Authentication For Critical Function." This vulnerability (CVE-2021-22652) has a CVSSv3 score of 9.8, which is usually CRITICAL, since it effectively allows anyone who can connect to the iView server to run arbitrary, OS-level commands in the user context of the iView application, which is nearly always SYSTEM-level access.
Product description
Advantech iView is a proprietary, SNMP-based IoT device management application used to manage deployments of Advantech B+B SmartWorx-enabled products, as described on the vendor's product site.
Credit
This issue was discovered by Rapid7 Senior Security Researcher William Vu. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy and in cooperation with the Industrial Control Systems Vulnerability Management and Coordination (ICS-VMC) section of the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security.
Exploitation of CVE-2021-22652 (FIXED)
An unauthenticated configuration change combined with an unauthenticated file write primitive leads to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITYSYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.
The vulnerability can be demonstrated with the following series of curl(1) commands:
){kind=link}