CVE-2022-42732: Improper Read Access Control Vulnerability in syngo Dynamics (All versions < VA40G HF01)

A vulnerability, identified as CVE-2022-42732, has been discovered in the syngo Dynamics application server, a healthcare solution developed by Siemens Healthineers. This vulnerability affects all software versions lower than VA40G HF01. It has been found that the syngo Dynamics application server hosts a web service with an operation that provides improper read access control. This could allow an attacker to potentially access and retrieve files from any folder accessible to the account assigned to the website’s application pool.

Vulnerability Details

The vulnerability lies in the improper implementation of read access control within a web service operation. This can enable an attacker with authenticated access to the server to exploit this vulnerability and potentially gain unauthorized access to sensitive files and information. The consequences may include information disclosure and tampering with the application's functionality.

The issue exists due to the implementation of a web service operation that lacks the proper read access control mechanisms. This service may allow authenticated users to read files from any folder that is accessible to the account running the website's application pool.

The following is an example of a code snippet demonstrating the vulnerability

[WebMethod]
public string ReadFile(string filePath)
{
    // Missing read access control
    if (File.Exists(filePath)
    {
        using (StreamReader sr = new StreamReader(filePath))
        {
            return sr.ReadToEnd();
        }
    }
    return "File not found.";
}

Mitigation and Patch Information

In response to the vulnerability, Siemens Healthineers has released an update for syngo Dynamics systems. It is highly recommended for users of syngo Dynamics software to update to the latest software version VA40G HF01 to mitigate this vulnerability. Users may contact their local Siemens Healthineers customer service representative for further guidance on updating their systems.

To further enhance the security of syngo Dynamics systems, users may consider following best practices for securing their environment, including:

For more information about the identified vulnerability, please refer to the following resources

1. CVE-2022-42732: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42732
2. Siemens Healthineers: https://www.siemens-healthineers.com/en-us/
3. Siemens Healthineers Security Advisory: https://www.siemens-healthineers.com/en-us/support/cybersecurity/security-advisories
4. Defense-in-Depth Principles: https://www.cisa.gov/defense-industry-sector

Conclusion

The discovery of this vulnerability in syngo Dynamics (CVE-2022-42732) highlights the need for proper implementation of access controls for web services and operations. Promptly updating the software to the latest available version can protect your systems from potential exploitation. Additionally, adopting defense-in-depth principles, network segmentation, and regular vulnerability scanning can help further secure your organization's systems against unauthorized access and other security risks.

Timeline

Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/21/2022 20:08:00 UTC