Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the
snap_file parameter in the
/it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. A ‘low privileged’ attacker can read any file on the target host.
“SecureWatch Managed Services are a comprehensive suite of configuration optimization, monitoring and mitigation response services. This round-the-clock service, delivered by Corero’s highly experienced Security Operations Center, is tailored to meet the security policy requirements and business goals of each SmartWall customer that engages in a SecureWatch managed service plan.” More information is available at https://www.corero.com/product/managed-ddos-protection-services/
/opt/splunk/etc/apps/securewatch_analytics_tdd/bin/snapshot_handler/snapshotHandler.py, reachable via a HTTP request to
/it-IT/splunkd/__raw/services/get_snapshot, uses the “snap_file” parameter to build the path of file to provide inside the HTTP response, without sanitizing the user input in any way.
By traversing the
/corero/snapshots/ path it is possible to read any file on the target host.
An attacker with access to an account having ‘swa-monitor’ privileges can read the contents of any file on the target host.
Upgrade Corero SecureWatch Managed Services to version 9.7.5 or later. (Note: we didn’t verify the patch.)
Giulio `linset` Casciaro from Shielder
This advisory was first published on https://www.shielder.it/advisories/corero_secure_watch_managed_services-get_snapshot-path-traversal/
6 August 2021