CVE-2021-22652
published 2021-02-11CVE-2021-22652: Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.84%
98.3th percentile
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | iview | < 5.7.03.6112 | 5.7.03.6112 |
Detection & IOCsextracted from sources · hover to see the quote
url/iView3/NetworkServlet
pathwebapps\iView3\
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_15;)
bytes
|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|
- →Exploit targets the unauthenticated POST endpoint /iView3/NetworkServlet to overwrite the EXPORTPATH configuration value, redirecting exports to a web-accessible path (webapps\iView3\) to enable arbitrary file write and subsequent RCE. ↗
- →HTTP POST requests to /iView3/NetworkServlet with a body starting with 'page_action' and containing an EXPORTPATH key set to a webapps path should be treated as exploitation attempts.
- →The process running iView is typically NT AUTHORITY\SYSTEM; any new child processes spawned from the iView service process after exploitation should be investigated as potential RCE indicators. ↗
- ·The Snort/ET rule (sid:2032767) targets inbound traffic to $HTTP_SERVERS and $HOME_NET; ensure these variables are correctly scoped to include the iView server's IP to avoid missed detections.
- ·The vulnerability is fixed in iView v5.7.03.6112; the demonstrated vulnerable version is 5.7.02.5992. Detection rules are only operationally relevant on unpatched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Advantech iView
cisa_ics·2021-02-09·CVSS 7.5
[HIGH] Advantech iView
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech iView
Last RevisedFebruary 09, 2021
Alert CodeICSA-21-040-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Advantech
- Equipment: iView
- Vulnerabilities: SQL Injection, Path Traversal, Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow an attacker to disclose information, escalate privileges to Administrator, perform an arbitrary file read, and remotely execute commands.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The
GHSA
GHSA-23jg-2v84-hg56: Access to the Advantech iView versions prior to v5
ghsa_unreviewed·2022-05-24
CVE-2021-22652 [CRITICAL] CWE-306 GHSA-23jg-2v84-hg56: Access to the Advantech iView versions prior to v5
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
Suricata
ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)
suricata·2021-04-15·CVSS 9.8
CVE-2021-22652 [CRITICAL] ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)
ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, confidence High, si
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161937/Advantech-iView-Unauthenticated-Remote-Code-Execution.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-21-040-02http://packetstormsecurity.com/files/161937/Advantech-iView-Unauthenticated-Remote-Code-Execution.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-21-040-02
2021-02-11
Published