Black Lantern Security (BLSOPS)

Share this post

NASCENT RemKon Multiple CVEs

blog.blacklanternsecurity.com
Vulnerability Research

NASCENT RemKon Multiple CVEs

NASCENT: CVE-2021-38611, CVE-2021-38612, CVE-2021-38613: RemKon Device Manager 4.0.0.0

Chase Lindquist
Aug 23, 2021
Share this post

NASCENT RemKon Multiple CVEs

blog.blacklanternsecurity.com

NASCENT’s RemKon Device Manager is a web application that is deployed in logistic centers to serve as a “single pane of glass” for the management of various settings and configurations for Automated Gate Systems (AGS) and other NASCENT products. Black Lantern Security (BLS) identified a total of 3 CVEs for this software during a customer engagement. CVE-2021-38611 allows for the execution of arbitrary commands during a file upload, CVE-2021-38612 is a directory traversal vulnerability, and CVE-2021-38613 allows for the upload of arbitrary files. Authentication is not required by default for this software.

CVE-2021-38611 and CVE-2021-38613

The RemKon Device Manager image upload function executes system commands to store uploaded files in /tmp. Due to this code using raw system commands with no filtering of user input, an attacker can append a semi colon to a file name in order to escape this function and execute arbitrary system commands. The arbitrary command execution vulnerability was assigned the ID CVE-2021-38611.

remkon device manager command injection
Command Injection via File Upload

Additionally, this PHP function does not perform any file type validation. Fortunately, as stated previously, uploaded files are stored in /tmp, so web shells are not able to be immediately accessed when this functionality is abused (but this concern is largely rendered moot with CVE-2021-38611). The arbitrary file upload was assigned the ID CVE-2021-38613.

remkon device manager arbitrary file upload
Arbitrary File Upload

CVE-2021-38612

The RemKon Device Manager also features a log reading function that does not sanitize user input, allowing an attacker to read files on the underlying server (including source code for the web application). The directory traversal vulnerability was assigned the ID CVE-2021-38612.

remkon device manager directory traversal
Directory Traversal

NASCENT was informed regarding the nature of these vulnerabilities shortly after their discovery. The newest version of the RemKon Device Manager remediates the identified issues.

Timeline

2020-04-02: Contacted NASCENT to Report the Vulnerabilities
2021-08-12: Contacted MITRE to Request CVEs
2021-08-12: MITRE Responded with CVE IDs CVE-2021-38611, CVE-2021-38612, CVE-2021-38613
2021-08-23: Public Disclosure

CVE IDs

  • CVE-2021-38611

  • CVE-2021-38612

  • CVE-2021-38613

Share

Share this post

NASCENT RemKon Multiple CVEs

blog.blacklanternsecurity.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Black Lantern Security (BLSOPS)
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing