Description
A critical vulnerability has been identified in the Digital Video Controller (DVC) component of the TRCore software. This vulnerability involves a Path Traversal attack vector, allowing for the unrestricted upload of arbitrary files by remote attackers. If exploited, it could lead to arbitrary code execution by uploading webshells, posing severe security risks.
Affected Product(s)
- TRCore DVC Version(s) 6.0 up to but not including 6.4
Technical Details
Path Traversal vulnerabilities are significant security issues within software systems that can allow unauthorized access to the file system. In TRCore DVC, a critical Path Traversal flaw has been identified, exploited by remote, unauthenticated attackers through arbitrary file uploads.
The DVC module is integral to TRCore’s range of products, providing a gateway for digital video content management. Unfortunately, in versions 6.0 up to 6.4, the combination of Path Traversal and improper file upload restrictions presents a severe security hole. Path Traversal, or directory traversal, is where an attacker manipulates file paths into gaining unauthorized read/write access to locations outside the advertiser’s root directory.
In the case of TRCore DVC, the absence of proper validation of file paths and types facilitates an attack vector where malicious entities can write files anywhere in the system, including directories with executable permissions. This vulnerability’s exploitation allows attackers to upload web shells or other malicious scripts, leading to arbitrary code execution. Once attackers have code execution capability, they can compromise the entire system, extract sensitive information, or leverage the compromised system to attack other systems.
The exploitation process includes:
- The attacker prepares a malicious file designed to exploit the system’s functionalities through the flawed upload mechanism.
- Utilizing Path Traversal vulnerability, the file gets uploaded via a crafted POST request.
- The uploaded file is placed into a specific directory with executable rights due to the lack of path restriction and file validation.
- The attacker then accesses the uploaded script via a web browser or command line, enabling them to interact with the compromised system and execute arbitrary code.
Additionally, threat actors exploiting this vulnerability have been documented. For instance, the Advanced Persistent Threat (APT) group known as APT41 has been observed to leverage similar vulnerabilities. This escalates the risk associated with the TRCore DVC Path Traversal issue.
Security researchers emphasize the criticality of the issue due to its high CVSSv3 score of 9.8, indicating the vulnerability’s ease of exploitation and severity of potential impact. Organizations using TRCore DVC need to review and apply necessary patches or workarounds to mitigate this threat effectively.
Weakness
The identified weaknesses associated with this vulnerability are: – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) [CWE-22] – Relative Path Traversal [CWE-23] – Unrestricted Upload of File with Dangerous Type [CWE-434]
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected TRCore DVC system. The severity of this impact is heightened by the potential for complete system compromise, data exfiltration, and further network penetration from the compromised host.
Active Exploitation
There have been observable activities indicating that adversary groups are actively exploiting this vulnerability. Such groups leverage these kinds of exploits to infiltrate organizational networks, establish persistent access, and exfiltrate data. Furthermore, the vulnerability presents a vector for deploying additional malicious payloads, creating further complications for the affected entities.
Ransomware Association
Although there is no direct evidence linking this specific vulnerability to ransomware attacks, the type of system access it provides could facilitate such attacks indirectly. The ability to execute arbitrary code could enable the deployment of ransomware like WannaCry or Petya, which are known to exploit similar vulnerabilities to gain a foothold and propagate through networks. Therefore, mitigating this vulnerability is crucial to prevent potential ransomware incidents.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Users of the TRCore DVC software must update to version 6.4 or later immediately to mitigate the risk of exploitation. The patch can be downloaded from the official TRCore website, and we strongly advise all users to apply this update promptly.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Verify that the applied updates address the file upload and path traversal vulnerabilities.
- Regularly scan and monitor systems for signs of exploitation through unusual file uploads and directory accesses.
- Configure web servers to prevent execution of uploaded files by segregating upload directories from executable paths.
- Conduct a security audit to ensure no backdoors or unapproved scripts were uploaded during the vulnerability window.
- Educate and train staff on recognizing suspicious activities and reporting potential security incidents.
- Employ Security Information and Event Management (SIEM) tools for proactive threat detection.
References
- CVE MITRE Details
- National Vulnerability Database
- Taiwan Computer Emergency Response Team Research 1
- Taiwan Computer Emergency Response Team Research 2