CVE-2022-1373
published 2022-08-17CVE-2022-1373: The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files…
PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
10.23%
95.1th percentile
The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. Using the "restore configuration" feature to upload a zip file containing a path traversal file may cause a file to be created and executed upon touching the disk.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softing | edgeaggregator | — | — |
| softing | edgeconnector | — | — |
| softing | opc | — | — |
| softing | opc_ua_c_+_+_software_development_kit | — | — |
| softing | secure_integration_server | — | — |
| softing | secure_integration_server | — | — |
| softing | uagates | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of wbemcomn.dll in C:\Windows\System32\wbem\ by a non-system process, particularly the Softing Secure Integration Server process, as this indicates exploitation of the directory traversal via zip upload. ↗
- →Detect zip file uploads to the 'restore configuration' feature of Softing SIS containing path traversal sequences (e.g., '../' or '..\') in archived file names, especially targeting DLL paths under Windows\System32. ↗
- →Alert on DLL hijacking of wbemcomn.dll triggered at Softing Secure Integration Server restart — the planted DLL is loaded during service restart following a configuration restore operation. ↗
- →Investigate ARP spoofing activity on networks hosting Softing SIS servers, as attackers may use it to harvest authentication signatures used in the exploit chain. ↗
- ·The exploit chain requires authentication (username + password or signature). Signature-based authentication was demonstrated at Pwn2Own via ARP spoofing, meaning network-level credential interception is a prerequisite attack vector. ↗
- ·This CVE (CVE-2022-1373) is chained with CVE-2022-2334 (DLL hijacking) to achieve full RCE; the directory traversal alone plants the DLL, but code execution requires the subsequent service restart triggering the hijack. ↗
- ·A custom DLL payload can be substituted for the default Metasploit-generated DLL, meaning the planted file hash will vary across attack instances and hash-based detection alone is insufficient. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Softing Secure Integration Server
cisa_ics·2022-09-26·CVSS 7.5
[HIGH] Softing Secure Integration Server
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Softing Secure Integration Server
Last RevisedSeptember 26, 2022
Alert CodeICSA-22-228-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Softing
- Equipment: Secure Integration Server
- Vulnerabilities: Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, Integer Underflow.
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-servi
GHSA
GHSA-8rff-xvx4-wwhh: The “restore configuration” feature of Softing Secure Integration Server V1
ghsa_unreviewed·2022-08-18
CVE-2022-1373 [HIGH] CWE-22 GHSA-8rff-xvx4-wwhh: The “restore configuration” feature of Softing Secure Integration Server V1
The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. Using the "restore configuration" feature to upload a zip file containing a path traversal file may cause a file to be created and executed upon touching the disk.
No detection rules found.
No writeups or analysis indexed.
2022-08-17
Published