CVE-2019-25351
📋 TL;DR
Centova Cast 3.2.11 contains an arbitrary file download vulnerability in the server.copyfile API endpoint. Authenticated attackers can exploit this to retrieve sensitive system files like /etc/passwd. This affects all Centova Cast installations running version 3.2.11.
💻 Affected Systems
- Centova Cast
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through retrieval of sensitive configuration files, passwords, SSH keys, or database credentials leading to lateral movement and data exfiltration.
Likely Case
Attackers download system files containing sensitive information, potentially gaining access to user credentials, configuration secrets, or other protected data.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and file permission restrictions preventing access to critical system files.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB. Attack requires valid authentication credentials to the Centova Cast interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.12 or later
Vendor Advisory: https://centova.com
Restart Required: Yes
Instructions:
1. Backup your current installation and configuration. 2. Download the latest version from Centova's official website. 3. Follow the upgrade instructions provided by Centova. 4. Restart the Centova Cast service. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
API Endpoint Restriction
linuxRestrict access to the vulnerable server.copyfile API endpoint using web server configuration or firewall rules.
# For Apache: add to .htaccess or virtual host config
<Location "/api/server.copyfile">
Deny from all
</Location>
# For Nginx: add to server block
location /api/server.copyfile {
deny all;
}
File Permission Hardening
linuxRestrict file permissions on sensitive system files to prevent them from being read by the web server user.
chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 600 /etc/ssh/ssh_host_*
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centova Cast servers from sensitive systems and data.
- Enforce strong authentication policies including multi-factor authentication and regular credential rotation.
🔍 How to Verify
Check if Vulnerable:
Test the server.copyfile endpoint with authenticated access using curl: curl -X POST -H 'Content-Type: application/json' -d '{"source":"/etc/passwd","destination":"/tmp/test"}' http://[target]/api/server.copyfile --user [username:password]Check Version:
Check the Centova Cast version in the web interface under System Information or run: grep 'version' /usr/local/centovacast/version.txtVerify Fix Applied:
Attempt the same exploit after patching - it should return an error or fail to download system files.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to server.copyfile endpoint
- Multiple failed authentication attempts followed by successful API access
- Large file downloads from the API endpoint
Network Indicators:
- POST requests to /api/server.copyfile with file paths in parameters
- Unusual outbound traffic patterns from the Centova Cast server
SIEM Query:
source="centova.log" AND (uri_path="/api/server.copyfile" OR method="POST" AND uri_path CONTAINS "server.copyfile")