CVE-2019-12314
📋 TL;DR
CVE-2019-12314 is a critical local file inclusion vulnerability in Deltek Maconomy ERP software that allows attackers to read arbitrary files on the server via path traversal. This affects Deltek Maconomy version 2.2.5 installations. Attackers can exploit this to access sensitive system files like /etc/passwd.
💻 Affected Systems
- Deltek Maconomy
📦 What is this software?
Maconomy by Deltek
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via reading sensitive configuration files, credentials, or executing arbitrary code through file inclusion of malicious scripts.
Likely Case
Information disclosure of sensitive files including configuration files, credentials, and system files leading to further attacks.
If Mitigated
Limited impact if proper network segmentation, file permissions, and web application firewalls are in place.
🎯 Exploit Status
Simple HTTP request with path traversal in URI can trigger the vulnerability. Multiple public exploit scripts exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.6 or later
Vendor Advisory: https://github.com/ras313/CVE-2019-12314/security/advisories/GHSA-8762-rf4g-23xm
Restart Required: Yes
Instructions:
1. Contact Deltek support for patch 2.2.6 or later. 2. Apply the patch following vendor instructions. 3. Restart the Maconomy application server. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing path traversal patterns in the URI
WAF-specific configuration to block patterns like '../', '/etc/passwd', 'WS.macx1.W_MCS' in PATH_INFO
File Permission Restriction
linux/windowsRestrict web server user permissions to limit file access
chmod 750 /etc/passwd (Linux)
icacls C:\Windows\System32\config /deny IIS_IUSRS:(R) (Windows)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Maconomy servers from internet and untrusted networks.
- Deploy a web application firewall (WAF) with rules to block path traversal patterns and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to: http://[target]/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd and check if /etc/passwd contents are returned.Check Version:
Check Maconomy version in application interface or consult Deltek documentation for version checking.Verify Fix Applied:
Attempt the same exploit request after patching - should return error or no file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'WS.macx1.W_MCS' followed by path traversal patterns
- Access to sensitive file paths in web server logs
- Unusual file read operations from web process
Network Indicators:
- HTTP GET requests with '/etc/passwd', '/etc/shadow', or Windows equivalent paths in URI
- Traffic to vulnerable endpoint with abnormal file paths
SIEM Query:
source="web_server_logs" AND (uri="*WS.macx1.W_MCS*" AND (uri="*../*" OR uri="*/etc/passwd*" OR uri="*C:\\Windows\\*"))🔗 References
- http://packetstormsecurity.com/files/153079/Deltek-Maconomy-2.2.5-Local-File-Inclusion.html
- https://github.com/JameelNabbo/exploits/blob/master/Maconomy%20Erp%20local%20file%20include.txt
- https://github.com/ras313/CVE-2019-12314/security/advisories/GHSA-8762-rf4g-23xm
- http://packetstormsecurity.com/files/153079/Deltek-Maconomy-2.2.5-Local-File-Inclusion.html
- https://github.com/JameelNabbo/exploits/blob/master/Maconomy%20Erp%20local%20file%20include.txt
- https://github.com/ras313/CVE-2019-12314/security/advisories/GHSA-8762-rf4g-23xm
