CVE-2019-15931
📋 TL;DR
CVE-2019-15931 is a directory traversal vulnerability in Intesync Solismed 3.3sp that allows attackers to access files outside the intended directory. This affects all organizations using Solismed 3.3sp without proper input validation. Attackers can potentially read sensitive system files through crafted HTTP requests.
💻 Affected Systems
- Intesync Solismed
📦 What is this software?
Solismed by Intesync
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive configuration files, credentials, or patient data, potentially leading to data breach and regulatory violations.
Likely Case
Unauthorized access to sensitive files containing configuration data, user credentials, or patient information.
If Mitigated
Limited impact with proper web application firewalls and input validation controls in place.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple HTTP requests containing path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact vendor for patched version
Vendor Advisory: https://www.solismed.com/
Restart Required: Yes
Instructions:
1. Contact Intesync for patched version of Solismed 3.3sp. 2. Backup current installation. 3. Apply vendor-provided patch. 4. Restart Solismed services. 5. Verify fix is working.
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block directory traversal patterns in HTTP requests
# Example mod_security rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,msg:'Directory Traversal Attempt'
Input Validation Filter
allAdd input validation to filter out path traversal sequences before processing
# Example in application code: filter_input(INPUT_GET, 'file', FILTER_SANITIZE_STRING)
🧯 If You Can't Patch
- Isolate Solismed system in separate network segment with strict access controls
- Implement network-based intrusion detection to monitor for traversal attempts
🔍 How to Verify
Check if Vulnerable:
Test with HTTP requests containing traversal sequences like ../../etc/passwd to Solismed endpointsCheck Version:
Check Solismed version in web interface or configuration filesVerify Fix Applied:
Attempt same traversal requests and verify they are blocked or return error📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ../ patterns
- Access to unexpected file paths in web logs
- Failed file access attempts outside web root
Network Indicators:
- HTTP requests with encoded traversal sequences (%2e%2e%2f)
- Multiple failed file access attempts
SIEM Query:
source="web_logs" AND ("../" OR "..\\" OR "%2e%2e%2f")🔗 References
- https://bishopfox.com
- https://know.bishopfox.com/advisories/solismed-critical
- https://www.bishopfox.com/blog/news-category/advisories/
- https://www.solismed.com/
- https://bishopfox.com
- https://know.bishopfox.com/advisories/solismed-critical
- https://www.bishopfox.com/blog/news-category/advisories/
- https://www.solismed.com/
