.png){kind=logo}
Executive Summary
CVE-2023-47246 is a critical path traversal vulnerability identified in SysAid On-Premise software versions prior to 23.3.36. This vulnerability allows an attacker to execute arbitrary code by writing a file to the Tomcat webroot. The vulnerability has been actively exploited in the wild since November 2023, with notable exploitation by the CL0P ransomware group and Lace Tempest. This report provides a comprehensive analysis of CVE-2023-47246, including details on the vulnerability, exploitation in the wild, mitigation strategies, and references to further information.
Technical Information
CVE-2023-47246 is a critical vulnerability with a CVSS score of 9.8, indicating its high severity. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It exists in SysAid On-Premise software versions up to (excluding) 23.3.36. The vulnerability allows an attacker to perform a path traversal attack, enabling them to write a file to the Tomcat webroot directory. This file can then be executed by the server, leading to remote code execution (RCE).
The attack vector for this vulnerability is network-based, with a low attack complexity, no required privileges, and no user interaction needed. The impact of this vulnerability is significant, affecting the confidentiality, integrity, and availability of the system. Specifically, an attacker can gain unauthorized access, execute arbitrary code, and potentially take control of the affected system.
The vulnerability was discovered in November 2023 and has since been actively exploited in the wild. The exploitation involves writing a malicious file to the Tomcat webroot directory, which is then executed by the server. This allows the attacker to gain remote code execution capabilities, move laterally within the network, and potentially exfiltrate sensitive data.
Exploitation in the Wild
The exploitation of CVE-2023-47246 has been observed in various attacks, primarily targeting organizations using SysAid On-Premise software. Notable threat actors, including the CL0P ransomware group and Lace Tempest, have been identified as exploiting this vulnerability. These groups have used the vulnerability to gain unauthorized access, execute malicious code, and deploy ransomware.
The exploitation typically involves writing a malicious file to the Tomcat webroot directory. This file is then executed by the server, allowing the attacker to achieve remote code execution. Indicators of Compromise (IOCs) associated with this exploitation include unusual files in the Tomcat webroot directory, unexpected network traffic to and from the SysAid server, and signs of lateral movement within the network.
APT Groups using this vulnerability
The CL0P ransomware group is known for exploiting vulnerabilities to deploy ransomware and exfiltrate data. They have been observed using CVE-2023-47246 to gain unauthorized access and execute malicious code. The Lace Tempest group is another threat actor known for exploiting zero-day vulnerabilities. They have also been identified as exploiting CVE-2023-47246 to achieve remote code execution and gain unauthorized access to systems.
Affected Product Versions
The affected product versions include SysAid On-Premise software versions up to (excluding) 23.3.36. Users of these versions are at risk of exploitation and should take immediate action to mitigate the threat.
Workaround and Mitigation
SysAid has released a security update to address this vulnerability. Users are strongly advised to upgrade to version 23.3.36 or later. The update includes necessary patches to prevent the path traversal attack vector. In addition to applying the security update, organizations should implement continuous monitoring for IOCs, adhere to best security practices, and ensure that their systems are regularly updated with the latest security patches.
References
For further information on CVE-2023-47246 and its exploitation, please refer to the following sources:
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring, detection, and mitigation capabilities to protect your organization from vulnerabilities like CVE-2023-47246. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comments