Other official information and services: www.belgium.be

Warning: two critical RCE vulnerabilities in Lansweeper

Référence:

Advisory #2022-48

Version:

1.0

Logiciels concernés :

Lansweeper

CVE/CVSS:

CVE-2022-29517

CVE-2022-32573

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Date:

14/12/2022

Sources

https://www.lansweeper.com/changelog/

Risques

Lansweeper has patched 2 critical vulnerability in their product Lansweeper that could be exploited by a remote unauthenticated attacker. This leads to arbitrary file upload and Remote Code Execution (RCE).

The attack does not require any user interaction and can be executed remotely without privileges.

The impact to confidentiality, integrity and availability is high.

The Centre for Cybersecurity Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

On the 29^th of November 2022 Lansweeper released an update addressing several issues. Two of these are critical vulnerabilities: CVE-2022-29517 and CVE-2022-32573.

Both of these vulnerabilities are related to CWE22[1] which is a directory traversal vulnerability. An attacker can send a specially-crafted HTTP request that can lead to arbitrary file upload.

CVE-2022-29517 is related with the following action in Lansweeper: “Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template -> add inline file”. The vulnerable code for this action is located in the “LS\WS\HelpdeskActions.cs” file.

CVE-2022-32573 is related with the following action in Lansweeper: ”Assets -> choose any asset -> Docs -> Add document”. The vulnerable code for this action is located in the “\LS\WS\AssetActions.cs file.”

Affected products

Lansweeper

Affected version

10.1.1.0

[1] CWE - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (4.9) (mitre.org)

Actions recommandées

Patch

Update Lansweeper to the latest version as described in Lansweeper Changelog - Lansweeper.com.

Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.

Références

TALOS-2022-1529 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

TALOS-2022-1528 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence