VisualWare MyConnection Server version 11.0b suffers from a remote code execution vulnerability. The vendor has addressed this issue in MyConnection Server release 11.1a build 5522.
4020b71a9e0980a71356d18f6bd3dfc4f61a0062966d3fecc53fabe7c1ae5936
Document Title:
===============
VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability
References (Source):
====================
https://www.securifera.com/advisories/cve-2021-27198/
https://myconnectionserver.visualware.com/download.html
Release Date:
=============
2020-02-25
Product & Service Introduction:
===============================
MCS tests, measures & reports the performance and health of any network
connection, LAN or WAN. MCS is an access everywhere web based enterprise
solution.
Vulnerability Information:
==============================
Class: CWE-434: Unrestricted Upload of File with Dangerous Type
Impact: Remote Code Execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2021-27198
Vulnerability Description:
==============================
An unauthenticated remote code execution vulnerability was discovered in
Visualware MyConnection Server 11.0 through 11.0b build 5382. The web
endpoint at "https://example.com/myspeed/sf" provides an unauthenticated
user the ability to upload an arbitrary file to an arbitrary location via a
specially crafted POST request. This application is written in Java and is
thus cross-platform. The Windows installation executes the web server as
SYSTEM which means that exploitation provides Administrator privileges on
the target system.
Vulnerability Disclosure Timeline:
==================================
2021-01-11: Contacted VisualWare About Issue via Website Contact Form
2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure
Assistance
2021-02-11: Requested CVE from MITRE for vulnerability
2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They
Had Looked At My Profile. I assume because of my attempts to contact them
2021-02-18: Notified VisualWare About Issue Again via Website Contact Form
And Notified Them I Would be Disclosing if they did not respond
2021-02-25: Publicly releasing vulnerability because company refuses to
respond to any attempts to coordinate disclsoure
Affected Product(s):
====================
VisualWare MyConnection Server 11.0 through 11.0b build 5382
Severity Level:
===============
High
Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.
Solution - Fix & Patch:
=======================
None
Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated
as high. (CVSS 10.0)
Credits & Authors:
==================
Securifera, Inc - b0yd (@rwincey)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Securifera disclaims all
warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. Securifera is not liable in any
case of damage,
including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Securifera
or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential
or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any licenses, policies, or hack into any
systems.
Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera
Copyright C 2021 | Securifera, Inc
--------------------------
Packet Storm Note:
Visualware Inc. has noted that this issue has been addressed with the 11.1a build 5522 path release.