CVE-2020-27361
📋 TL;DR
This vulnerability in Akkadian Provisioning Manager allows attackers to access sensitive information stored in the /pme subdirectories without authentication. It affects organizations using Akkadian Provisioning Manager version 4.50.02, potentially exposing configuration data, credentials, or other sensitive information.
💻 Affected Systems
- Akkadian Provisioning Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive configuration files, credentials, or proprietary data, leading to complete system compromise or data breach.
Likely Case
Unauthorized users access sensitive information that could be used for further attacks or reconnaissance.
If Mitigated
Limited exposure with proper access controls and monitoring in place.
🎯 Exploit Status
Direct directory traversal/access vulnerability requiring minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.50.02 (check vendor for specific fixed version)
Vendor Advisory: https://www.akkadianlabs.com/security-advisories/
Restart Required: Yes
Instructions:
1. Contact Akkadian Labs for the latest patched version. 2. Backup current configuration. 3. Install the updated version. 4. Restart the Provisioning Manager service.
🔧 Temporary Workarounds
Restrict Access to /pme Directory
allConfigure web server or application firewall to block access to /pme subdirectories.
# Example for Apache: <Location "/pme"> Require all denied </Location>
# Example for Nginx: location /pme { deny all; }
Implement Authentication
allRequire authentication for all /pme directory access.
# Configure appropriate authentication in your web server configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Provisioning Manager from untrusted networks.
- Deploy a web application firewall (WAF) with rules to block access to /pme paths.
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[server]/pme/ or subdirectories without authentication. If accessible, system is vulnerable.Check Version:
Check the Provisioning Manager web interface or configuration files for version information.Verify Fix Applied:
After patching, verify that accessing /pme paths returns appropriate access denied or authentication required responses.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /pme directories
- Multiple failed authentication attempts followed by /pme access
Network Indicators:
- HTTP requests to /pme paths from unauthorized IP addresses
SIEM Query:
source="web_server_logs" AND (uri="/pme/*" OR uri="/pme") AND response_code=200