CVE-2019-15102
📋 TL;DR
CVE-2019-15102 is a critical vulnerability in Tyto Sahi Pro automation testing software that allows unauthenticated attackers to execute arbitrary scripts on the server, leading to remote code execution. The vulnerability affects Sahi Pro versions 6.x through 8.0.0 due to missing authentication mechanisms and insufficient server-side validation. Organizations using vulnerable versions of Sahi Pro for automated testing are at risk.
💻 Affected Systems
- Tyto Sahi Pro
📦 What is this software?
Sahi Pro by Sahipro
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Sahi Pro server with full remote code execution, allowing attackers to install malware, exfiltrate data, pivot to internal networks, or disrupt testing operations.
Likely Case
Attackers gain unauthorized access to execute testing scripts, potentially modifying test results, accessing sensitive test data, or using the server as a foothold for further attacks.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting the isolated testing environment.
🎯 Exploit Status
Exploitation is straightforward - attackers can chain the authentication bypass with the lack of server-side validation to achieve RCE. Public technical details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.1 or later
Vendor Advisory: https://sahipro.com/
Restart Required: Yes
Instructions:
1. Download Sahi Pro version 8.0.1 or later from the official vendor website. 2. Backup existing configurations and scripts. 3. Stop all Sahi Pro services. 4. Install the updated version. 5. Restart Sahi Pro services. 6. Verify authentication is now required for all endpoints.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Sahi Pro server to only trusted IP addresses or internal networks
# Example firewall rule (Linux): sudo iptables -A INPUT -p tcp --dport <sahi_port> -s <trusted_ip> -j ACCEPT
# Example firewall rule (Windows): New-NetFirewallRule -DisplayName "Restrict Sahi" -Direction Inbound -LocalPort <sahi_port> -RemoteAddress <trusted_ip> -Action Allow
Disable Remote Access Endpoints
allDisable or block access to TestRunner distributed/non-distributed endpoints if not needed
# Modify Sahi configuration to disable remote endpoints or use firewall to block ports
🧯 If You Can't Patch
- Isolate the Sahi Pro server in a dedicated network segment with strict access controls
- Implement network monitoring and intrusion detection specifically for Sahi Pro traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Sahi Pro version via web interface or configuration files. Versions 6.0.0 through 8.0.0 are vulnerable. Test if TestRunner endpoints accept requests without authentication.Check Version:
Check sahi/userdata/config/sahi.properties or web interface for version informationVerify Fix Applied:
After patching, verify version is 8.0.1 or later. Test that all endpoints now require authentication and server-side validation is present for script management.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to TestRunner endpoints
- Unexpected script execution or modification events
- Access from unauthorized IP addresses to Sahi Pro ports
Network Indicators:
- Unusual traffic to Sahi Pro default ports (typically 9999)
- HTTP requests to /_s_/dyn/TestRunner endpoints without authentication headers
- Script upload/modification requests without proper authentication
SIEM Query:
source="sahi.log" AND ("TestRunner" OR "unauthenticated" OR "script upload") OR dest_port=9999 AND NOT src_ip IN [trusted_ips]