Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:

/SCMS/web/access/ConfigRestoreAction.action

An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the “cfgfile” parameter in the ConfigRestoreAction class. When receiving the request submitted to the “ConfigRestoreAction.action” endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter “cfgfile” is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.