CVE-2020-10579
📋 TL;DR
This vulnerability allows remote attackers to perform directory traversal attacks on Invigo Automatic Device Management (ADM) systems. By exploiting the /admin/sysmon.php script, attackers can list contents of arbitrary server directories accessible to the application user. Organizations running Invigo ADM through version 5.0 are affected.
💻 Affected Systems
- Invigo Automatic Device Management (ADM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate sensitive files, discover credentials, configuration files, or other sensitive data, potentially leading to full system compromise.
Likely Case
Attackers will enumerate directory contents to map the system, discover sensitive files, and gather intelligence for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to directory enumeration within the application's accessible scope.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple HTTP requests; no authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.0
Vendor Advisory: https://www.on-x.com/sites/default/files/security_advisory_-_multiple_vulnerabilities_-_invigo_adm.pdf
Restart Required: Yes
Instructions:
1. Contact Invigo for updated version beyond 5.0. 2. Backup current configuration. 3. Apply the patch/upgrade. 4. Restart the ADM service. 5. Verify functionality.
🔧 Temporary Workarounds
Web Server Access Restriction
allRestrict access to the /admin/sysmon.php script using web server configuration or WAF rules.
# Apache example: <Location "/admin/sysmon.php">
# Order deny,allow
# Deny from all
# </Location>
# Nginx example: location = /admin/sysmon.php { deny all; }
Network Segmentation
allRestrict network access to the ADM administration interface to trusted IP addresses only.
# Firewall rule example (Linux): iptables -A INPUT -p tcp --dport [ADM_PORT] -s [TRUSTED_IP] -j ACCEPT
# Windows Firewall: New-NetFirewallRule -DisplayName "Restrict ADM Access" -Direction Inbound -LocalPort [ADM_PORT] -RemoteAddress [TRUSTED_IP] -Action Allow
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the ADM web interface
- Deploy a web application firewall (WAF) with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Test by sending a crafted request to /admin/sysmon.php with directory traversal payloads (e.g., ../../../etc/passwd) and checking for directory listing responses.Check Version:
Check the ADM web interface or configuration files for version information; consult Invigo documentation for specific version check commands.Verify Fix Applied:
After patching, repeat the vulnerability test; successful fix should return error messages or deny access instead of directory listings.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /admin/sysmon.php containing ../ patterns
- Unusual access patterns to the admin interface from unexpected IPs
- Error logs showing directory traversal attempts
Network Indicators:
- HTTP requests with ../ sequences in URL parameters
- Multiple rapid requests to sysmon.php with varying directory paths
SIEM Query:
source="web_logs" AND (url="/admin/sysmon.php" AND (url="*../*" OR parameters="*../*"))