CVE-2018-14916 – CVE-2018-14916 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2018-14916?

CVE-2018-14916 has a CVSS score of 9.1 (CRITICAL). CVE-2018-14916 allows unauthenticated attackers to delete arbitrary files on LOYTEC LGATE-902 devices through directory traversal vulnerabilities. This affects LOYTEC LGATE-902 devices running firmware version 6.3.2, potentially impacting building automation and industrial control systems.

📋 TL;DR

CVE-2018-14916 allows unauthenticated attackers to delete arbitrary files on LOYTEC LGATE-902 devices through directory traversal vulnerabilities. This affects LOYTEC LGATE-902 devices running firmware version 6.3.2, potentially impacting building automation and industrial control systems.

💻 Affected Systems

Products:

LOYTEC LGATE-902

Versions: 6.3.2

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are typically deployed in building automation and industrial control environments. Default web interface configuration is vulnerable.

📦 What is this software?

Lgate 902 Firmware by Loytec

View all CVEs affecting Lgate 902 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to device bricking, service disruption, or enabling further attacks by removing security controls.

🟠

Likely Case

Service disruption through deletion of configuration files or application data, potentially causing building automation systems to malfunction.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and file integrity monitoring is in place.

🌐 Internet-Facing: HIGH - Exploitation requires no authentication and can be performed remotely via HTTP requests.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists showing HTTP requests with directory traversal sequences to delete files. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later than 6.3.2 (check vendor for specific version)

Vendor Advisory: https://www.loytec.com/support/security-advisories

Restart Required: Yes

Instructions:

1. Contact LOYTEC support for latest firmware. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Restart device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate LGATE-902 devices from untrusted networks using firewalls

Access Control Lists

all

Restrict HTTP access to device web interface to trusted IP addresses only

🧯 If You Can't Patch

Implement strict network segmentation to isolate devices from untrusted networks
Deploy web application firewall (WAF) with directory traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://device-ip/status or via SSH if enabled. Version 6.3.2 is vulnerable.

Check Version:

curl -s http://device-ip/status | grep -i version

Verify Fix Applied:

Verify firmware version is updated beyond 6.3.2. Test file deletion attempts with traversal sequences should fail.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences
File deletion events in system logs
Web interface access from unusual IPs

Network Indicators:

HTTP requests with traversal patterns (e.g., GET /../../etc/passwd)
Multiple DELETE or POST requests to file paths

SIEM Query:

source="web_logs" AND (uri="*../*" OR method="DELETE" AND uri="*")

📊 Metadata

CVE ID: CVE-2018-14916

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-732

Published: June 28, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Apr/12 Exploit,Mailing List,Third Party Advisory
https://seclists.org/fulldisclosure/2019/Apr/12 Exploit,Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Apr/12 Exploit,Mailing List,Third Party Advisory
https://seclists.org/fulldisclosure/2019/Apr/12 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14916, you might also want to check these: