CVE-2020-11596
📋 TL;DR
CVE-2020-11596 is a directory traversal vulnerability in CIPPlanner CIPAce 9.1 that allows unauthenticated attackers to enumerate files and directories on the server. This affects organizations using CIPAce 9.1 Build 2019092801 for enterprise planning. Attackers can discover sensitive files without authentication.
💻 Affected Systems
- CIPPlanner CIPAce
📦 What is this software?
Cipace by Cipplanner
⚠️ Risk & Real-World Impact
Worst Case
Attackers map the entire server filesystem, discover configuration files with credentials, database backups, or sensitive documents, leading to full system compromise.
Likely Case
Attackers enumerate directory structures to find vulnerable components, configuration files, or backup files for further exploitation.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure about directory structure.
🎯 Exploit Status
Simple HTTP GET requests with directory traversal sequences can exploit this vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions after 9.1 Build 2019092801
Vendor Advisory: https://www.criticalstart.com/vulnerabilities-discovered-in-cipace-enterprise-platform/
Restart Required: Yes
Instructions:
1. Contact CIPPlanner for updated version. 2. Backup current configuration. 3. Install updated version. 4. Restart CIPAce services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to CIPAce web interface to trusted IP addresses only
# Configure firewall rules to allow only specific IPs to CIPAce port (typically 80/443)
Web Application Firewall
allDeploy WAF with directory traversal protection rules
# Configure WAF to block requests containing ../ or directory traversal patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CIPAce server from untrusted networks
- Deploy intrusion detection systems to monitor for directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Test HTTP GET requests to CIPAce URLs with directory traversal sequences like ../../../../etc/passwd or similar patternsCheck Version:
Check CIPAce web interface admin panel or consult CIPPlanner documentation for version informationVerify Fix Applied:
Attempt directory traversal attacks after patching; successful requests should return error pages instead of directory listings📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests containing ../ sequences
- Unusual file path requests to CIPAce URLs
- Multiple 404 errors for non-existent directory paths
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f)
- Burst of GET requests to CIPAce from single source
SIEM Query:
source="CIPAce_logs" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*")