Vulnerability Notice: CVE-2024-11315

Description

A critical vulnerability has been identified in the XML parser component of the TRCore DVC product, which allows unauthenticated remote attackers to upload arbitrary files to any directory through path traversal. This can lead to arbitrary code execution by uploading webshells.

Affected Product(s)

• TRCore DVC Version(s) 6.0 up to but not including 6.4

Technical Details

TRCore Digital Video Controller (DVC) is a widely used software particularly in enterprise environments for video management and surveillance. The primary functionality of the DVC is to handle video streams, manage storage, and provide users with access to video data through centralized management interfaces. Unfortunately, a significant security vulnerability has been discovered in versions from 6.0 up to but not including 6.4.

This vulnerability is characterized as an arbitrary file upload facilitated by path traversal. Specifically, the DVC software does not restrict the types of file uploads nor effectively sanitize the file paths. As a result, remote attackers, who do not need any authentication, can potentially upload malicious files to any intended directory within the system by leveraging carefully crafted file paths.

To thoroughly understand the technical mechanism, let’s delve into the nature of the vulnerability:

1. Path Traversal Vulnerability (CWE-22 & CWE-23): Path traversal occurs when inputs provided by users are not properly sanitized, allowing attackers to traverse directories and access files outside the intended directory. In a typical filesystem, the use of special characters (‘../’ sequences) lets an attacker navigate up the directory tree to access restricted files. Since the DVC system does not have appropriate restrictions in place to filter such patterns, it allows the attackers to specify paths that can point anywhere within the filesystem.
2. Unrestricted File Upload (CWE-434): This involves failing to enforce restrictions on the type of files that can be uploaded. A secure system should have stringent checks ensuring that only allowed file types are uploaded, and they should never be executed directly. However, in this DVC scenario, uploaded files are not scrutinized efficaciously, permitting potential adversaries to upload webshells–scripts that provide unauthorized access to the server.
3. Webshell Injections: By exploiting the path traversal and unrestricted file upload vulnerabilities, attackers can inject webshells into various directories. Webshells are a prevalent threat vector, offering remote attackers the ability to execute arbitrary commands on the affected system.
4. Execution of Arbitrary Code: Once a webshell is uploaded, it allows attackers to execute commands with the same privileges as the web server process, leading to a full compromise of the server and enabling further lateral movement within the network.
5. Data Exfiltration: Attackers can access sensitive information stored in the underlying filesystem, which can include configuration files, database credentials, and other critical application data.
6. Service Disruption: Malicious actors can insert scripts or binaries aimed at disrupting service availability or corrupting data, leading to operational downtimes and potential data loss.
7. Overall Severity and Assessment: The Common Vulnerability Scoring System (CVSS) has granted this vulnerability a critical score of 9.8, underscoring the threat it poses. Due to the unauthenticated nature of the exploit, the attack vector being network-based, and the high impact in terms of confidentiality, integrity, and availability, this issue necessitates immediate attention.

Weakness

The weaknesses associated with this vulnerability are identified as:

• Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
• Relative Path Traversal (CWE-23)
• Unrestricted Upload of File with Dangerous Type (CWE-434)

These weaknesses fundamentally arise due to the insufficient validation of file paths and uploaded content, allowing adversaries undue influence over file storage and execution paths, ultimately compromising system security.

Impact Assessment

If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. Specifically, it opens up possibilities for the attackers to upload malicious webshells which could be utilized to take full control of the system, exfiltrate sensitive data, disrupt services, or propagate further attacks within a network.

Active Exploitation

We have observed activity from multiple adversary groups who are known for exploiting similar vulnerabilities in web applications. These groups often use automated tools to scan for vulnerable instances of TRCore DVC and upon detection, quickly deploy webshells or other malicious scripts to gain control over the system.

Ransomware Association

The vulnerability has been linked to ransomware attacks, specifically targeting enterprises relying on surveillance systems. Adversaries can exploit this vulnerability to initially gain access to the network, establish persistence, and deploy ransomware like the ABC ransomware. This ransomware exploits this vulnerability to encrypt sensitive video data and other essential files, rendering critical surveillance systems inoperative.

Mitigation and Resolution

To mitigate and resolve this critical security issue, TRCore has released a security update addressing this vulnerability. Customers are strongly advised to update their TRCore DVC installations to version 6.4 or above immediately. Detailed instructions for applying the patch and verifying the successful resolution of the vulnerability are provided in the official update documentation released by TRCore.

Recommendations

• We strongly recommend that all customers apply the latest patch (version 6.4 or above) as soon as possible.
• Regularly monitor the official TRCore site and relevant security advisories for any further updates or patches.
• Implement strict file-upload policies, ensuring only permissible file types are handled by the server.
• Conduct periodic security audits and penetration tests to identify and address potential vulnerabilities.
• Employ web application firewalls (WAFs) to detect and mitigate suspicious file upload patterns.
• Maintain up-to-date backups and disaster recovery processes to restore systems in case of malicious activity.

References 

• CVE MITRE Details
• National Vulnerability Database
• Taiwan Computer Emergency Response Team Research 1
• Taiwan Computer Emergency Response Team Research 2

View In Platform

• https://vi.securin.io/vulnerability/detail/cve-2024-11315