CVE-2020-22002 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2020-22002?

No official patch available. Check with Inim Electronics for firmware updates beyond version 6.x.

Q: What is the severity of CVE-2020-22002?

CVE-2020-22002 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks against Inim Electronics Smartliving SmartLAN/G/SI devices. By manipulating the 'host' parameter in the GetImage functionality, attackers can force the device to make HTTP requests to arbitrary external domains. This affects all versions up to and including 6.x of these IoT/automation devices.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks against Inim Electronics Smartliving SmartLAN/G/SI devices. By manipulating the 'host' parameter in the GetImage functionality, attackers can force the device to make HTTP requests to arbitrary external domains. This affects all versions up to and including 6.x of these IoT/automation devices.

💻 Affected Systems

Products:

Inim Electronics Smartliving SmartLAN
Inim Electronics Smartliving SmartLAN/G
Inim Electronics Smartliving SmartLAN/SI

Versions: <= 6.x

Operating Systems: Embedded/Linux-based

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ONVIF CGI interface specifically. Devices must have the vulnerable CGI endpoint accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use the device as a proxy to scan internal networks, access internal services, or perform reflected attacks against other systems. Could potentially lead to data exfiltration or lateral movement.

🟠

Likely Case

Information disclosure about internal network services, potential for scanning internal infrastructure, and possible use in reflected DDoS attacks.

🟢

If Mitigated

Limited to information gathering about accessible services, with no direct code execution or authentication bypass.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. Public exploit details available in vulnerability disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

No official patch available. Check with Inim Electronics for firmware updates beyond version 6.x.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the ONVIF CGI endpoint (onvif.cgi) using firewall rules or network segmentation

Input Validation via WAF

all

Implement Web Application Firewall rules to block malicious 'host' parameter values

🧯 If You Can't Patch

Isolate affected devices in a separate network segment with strict egress filtering
Implement reverse proxy with request validation for the ONVIF interface

🔍 How to Verify

Check if Vulnerable:

Test by sending a GET request to /onvif.cgi?host=external-domain.com and checking if the device attempts to connect to that domain

Check Version:

Check device web interface or firmware version through administrative interface

Verify Fix Applied:

Verify that requests with external domains in the 'host' parameter are rejected or properly validated

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to onvif.cgi with external domains in parameters
Outbound connections from device to unexpected external IPs

Network Indicators:

HTTP traffic to onvif.cgi with 'host' parameter containing external domains
Device making outbound HTTP requests to unusual destinations

SIEM Query:

source_ip=[device_ip] AND (uri_path="*onvif.cgi*" AND query_string="*host=*" AND NOT query_string="*host=internal*"))

📊 Metadata

CVE ID: CVE-2020-22002

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-918

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/172839 Third Party Advisory,VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php Exploit,Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/172839 Third Party Advisory,VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22002, you might also want to check these: