CVE-2022-36642
published 2022-09-02CVE-2022-36642: A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.04%
94.6th percentile
A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users credentials which makes him able to gain initial access to the control panel with high privilege because the cleartext storage of sensitive information which can be unlatched by exploiting the LFD vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telosalliance | omnia_mpx_node_firmware | — | — |
| telosalliance | omnia_mpx_node_firmware | >= 1.0.0 < 1.5.0 | 1.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
shodan-query: http.title:"Omnia MPX Node | Login"
- →Detect LFI exploitation attempts targeting the downloadMainLog endpoint with path traversal sequences to retrieve /etc/passwd or userDB.json ↗
- →Inspect HTTP response bodies for JSON credential fields indicating successful userDB.json exfiltration: look for co-occurrence of '"username":', '"password":', '"mustChangePwd":', and '"roleUser":' ↗
- →Detect successful /etc/passwd retrieval via the LFI endpoint by matching the regex pattern for root user entry in the response body ↗
- →Identify exposed Omnia MPX Node instances via Shodan/FOFA using the login page title fingerprint ↗
- ·Credentials in userDB.json are stored in cleartext, meaning any successful LFI retrieval of this file directly yields usable plaintext credentials for the control panel — no cracking required. ↗
- ·The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS), meaning no prior access is needed to trigger the LFI and retrieve credentials. ↗
- ·The userDB.json file path on disk is /config/MPXnode/www/appConfig/userDB.json — traversal depth must account for this absolute path when crafting detection signatures. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33v4-rh3c-mhcg: A local file disclosure vulnerability in /appConfig/userDB
ghsa_unreviewed·2022-09-03
CVE-2022-36642 [CRITICAL] CWE-862 GHSA-33v4-rh3c-mhcg: A local file disclosure vulnerability in /appConfig/userDB
A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.5.0+r1 allows attackers to escalate privileges to root and execute arbitrary commands.
VulnCheck
telosalliance omnia_mpx_node_firmware Missing Authorization
vulncheck·2022·CVSS 9.8
CVE-2022-36642 [CRITICAL] telosalliance omnia_mpx_node_firmware Missing Authorization
telosalliance omnia_mpx_node_firmware Missing Authorization
A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 allows attackers to access users credentials which makes him able to gain initial access to the control panel with high privilege because the cleartext storage of sensitive information which can be unlatched by exploiting the LFD vulnerability.
Affected: telosalliance omnia_mpx_node_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-36642; https://dash
No detection rules found.
Nuclei
Omnia MPX 1.5.0+r1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2022-36642 [CRITICAL] Omnia MPX 1.5.0+r1 - Local File Inclusion
Omnia MPX 1.5.0+r1 - Local File Inclusion
Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel.
Template:
id: CVE-2022-36642
info:
name: Omnia MPX 1.5.0+r1 - Local File Inclusion
author: arafatansari,ritikchaddha,For3stCo1d
severity: critical
description: |
Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel.
impact: |
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server,
https://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfdhttps://cyber-guy.gitbook.io/cyber-guys-blog/blogs/bypassing-mpx-node-authentication-firmware-analysishttps://drive.google.com/drive/folders/1jm9h8JNmezTt7AbHYRY7gPC4lXGDNklLhttps://www.exploit-db.com/exploits/50996https://www.telosalliance.com/radio-processing/audio-interfaces/omnia-mpx-nodehttps://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfdhttps://cyber-guy.gitbook.io/cyber-guys-blog/blogs/bypassing-mpx-node-authentication-firmware-analysishttps://drive.google.com/drive/folders/1jm9h8JNmezTt7AbHYRY7gPC4lXGDNklLhttps://www.exploit-db.com/exploits/50996https://www.telosalliance.com/radio-processing/audio-interfaces/omnia-mpx-node
2022-09-02
Published
Exploited in the wild