CVE CyberSecurity Database News

CVE-2022-46898 - Vocera Report Server Path Traversal & SQL Injection via Unsanitized Filename

Poster -

In 2022, a significant vulnerability (CVE-2022-46898) was discovered in Vocera Report Server and Voice Server versions 5.x through 5.8. This flaw allows an attacker to perform path traversal that may lead to arbitrary execution of SQL commands by abusing the database restore feature. In this post, we’ll break down how this vulnerability works, show code snippets for better understanding, and provide direct references for readers who want to dig deeper.

What is Path Traversal?

Path traversal (also known as directory traversal) is a type of security bug that allows attackers to access directories and files that are stored outside the web root folder. By manipulating variables that reference files with “../”, attackers can gain access to restricted files and directories.

Vulnerable Feature Explained

Vocera Report Console provides a WebSocket endpoint used to restore the report server's database. The process is supposed to allow administrators to upload a ZIP archive which contains a SQL import file. However, the filename is not properly sanitized, introducing a path traversal vulnerability.

Filename is accepted as-is and used for storage or processing.

3. If the filename contains path traversal sequences (like ../../), the server can be tricked into extracting files outside of the intended directory.

Example Attack Flow

Let's say the intended directory to restore SQL files is /opt/vocera/backup/.

Suppose an attacker sends the following in their request

{
  "filename": "../../postgres/data/postgresql.conf",
  "filedata": "<base64-encoded-content-of-zip>"
}

When the server deconstructs the path, it writes outside its backup directory. If the server unpacks and imports the "SQL" file, arbitrary SQL code can be run.

Below is a Python-like pseudocode to illustrate the vulnerable flow

import os
import zipfile

def handle_restore(filename, zip_file_data):
    # Assume filename comes from WebSocket client; no sanitization!
    extract_path = "/opt/vocera/backup/" + filename
    
    # UNSAFE: doesn't clean filename
    with open(extract_path, "wb") as f:
        f.write(zip_file_data)
    with zipfile.ZipFile(extract_path, 'r') as zip_ref:
        zip_ref.extractall("/opt/vocera/backup/")
    
    # Import SQL file (potentially outside intended folder)
    os.system(f"psql -f {extract_path}")

With this setup, an attacker could upload a ZIP archive that extracts to an unintended location, containing malicious SQL.

The archive contains a file with SQL injection commands (such as DROP DATABASE vocera;)

- The attacker sets the filename to ../../tmp/evil.sql

The attacker sends a WebSocket message

{
  "opcode": "restore",
  "filename": "../../tmp/evil.sql",
  "data": "(base64 zip payload)"
}

The server extracts and executes evil.sql as a SQL script, potentially damaging or taking over the Vocera database.

Real-World Impact

* Data Exfiltration – Read sensitive data from the database.
* Data Destruction – Dropping or altering tables to disrupt server functionality.
* Privilege Escalation – Execute further attacks if SQL commands can be chained.

Preventing This Issue

- Sanitize filenames: Only allow safe alphanumeric names, and strip path characters like ../, /, and \.

Validate ZIP extraction paths: Restrict extraction to one directory.

- Least privilege: Don’t allow the restoration process to run as a privileged database user if possible.

Secured Code Snippet Example

import os
import zipfile

def sanitize_filename(filename):
    # Only allow letters, numbers, underscore, and dash
    import re
    return re.sub(r'[^a-zA-Z-9_\-\.]', '', filename)

def handle_restore(filename, zip_file_data):
    safe_filename = sanitize_filename(filename)
    extract_path = os.path.join("/opt/vocera/backup/", safe_filename)
    # rest of code...

References

- NIST NVD Entry for CVE-2022-46898
- Vocera Security Advisories
- OWASP Path Traversal Cheat Sheet

Conclusion

CVE-2022-46898 reminds us that never trusting user input is crucial, whether that input is a filename, path, or SQL command. Path traversal flaws often look innocent but can lead to full system compromise, especially when combined with arbitrary code execution like a database restore. Always sanitize, validate, and keep software up-to-date!

*If you run a Vocera Report or Voice Server, upgrade past version 5.8 and follow guidance in their advisories.*


*This post is a unique explanation and code demonstration specifically about CVE-2022-46898 and is not a copy of any existing content.*

Timeline

Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/01/2023 01:21:00 UTC