CVE-2020-29551 – This vulnerability in URVE software allows unau... (How to Fix)

Q: What is the severity of CVE-2020-29551?

CVE-2020-29551 has a CVSS score of 9.1 (CRITICAL). This vulnerability in URVE software allows unauthenticated attackers to access sensitive internal files and execute system commands, including shutdown and restart functions. It affects URVE Build 24.03.2020 due to missing authorization checks on internal endpoints. Organizations using this specific build are vulnerable to system disruption and unauthorized access.

📋 TL;DR

This vulnerability in URVE software allows unauthenticated attackers to access sensitive internal files and execute system commands, including shutdown and restart functions. It affects URVE Build 24.03.2020 due to missing authorization checks on internal endpoints. Organizations using this specific build are vulnerable to system disruption and unauthorized access.

💻 Affected Systems

Products:

URVE Software

Versions: Build 24.03.2020

Operating Systems: Any OS running URVE software

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of this specific build are vulnerable by default. The software appears to be a room reservation system based on references.

📦 What is this software?

Urve by Urve

View all CVEs affecting Urve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, system shutdown/restart, configuration theft, and data manipulation leading to service disruption and data breach.

🟠

Likely Case

Unauthorized system shutdown/restart causing service disruption, access to sensitive configuration files, and potential execution of limited commands.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent access to vulnerable endpoints.

🌐 Internet-Facing: HIGH - Directly accessible via web interface without authentication, allowing remote exploitation.

🏢 Internal Only: HIGH - Even internal attackers can exploit without credentials, though network controls may limit exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to specific paths. Public proof-of-concept exists in disclosure reports showing direct access to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://urve.co.uk/system-rezerwacji-sal

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If update available, backup configuration. 3. Install updated version. 4. Verify vulnerable endpoints are no longer accessible.

🔧 Temporary Workarounds

Web Server Access Control

all

Block access to vulnerable paths using web server configuration

# Apache: Add to .htaccess or virtual host config
<LocationMatch "^/(_internal|ews|utils/backup|MyScreens|kreator.html5)/">
    Require all denied
</LocationMatch>
# Nginx: Add to server block
location ~ ^/(_internal|ews|utils/backup|MyScreens|kreator.html5)/ {
    deny all;
    return 403;
}

Network Segmentation

all

Restrict network access to URVE system

# Firewall rule examples
# Linux iptables:
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
# Windows Firewall:
netsh advfirewall firewall add rule name="Block URVE External" dir=in action=block protocol=TCP localport=80,443 remoteip=any

🧯 If You Can't Patch

Implement strict network access controls to limit URVE system access to authorized users only
Deploy web application firewall (WAF) with rules blocking access to vulnerable paths

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP GET requests to vulnerable endpoints like http://[target]/_internal/pc/shutdown.php. If accessible without authentication, system is vulnerable.

Check Version:

Check URVE interface or configuration files for version information. Look for 'Build 24.03.2020' in system files or web interface.

Verify Fix Applied:

Verify vulnerable endpoints return 403 Forbidden or are inaccessible. Test with: curl -v http://[target]/_internal/pc/shutdown.php

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /_internal/, /ews/, /utils/backup/, /MyScreens/, /kreator.html5/ paths
Unusual system shutdown/restart events
Access to runcmd.php or getConfiguration.php from unauthorized IPs

Network Indicators:

HTTP requests to vulnerable paths from unexpected sources
Multiple rapid requests to shutdown/restart endpoints
Traffic to internal URVE paths from external networks

SIEM Query:

source="web_logs" AND (url_path="/_internal/*" OR url_path="/ews/*" OR url_path="/utils/backup/*") AND http_status=200

📊 Metadata

CVE ID: CVE-2020-29551

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-306

Published: December 23, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160725/URVE-Software-Build-24.03.2020-Missing-Authorization.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Dec/48 Exploit,Mailing List,Third Party Advisory
https://urve.co.uk/system-rezerwacji-sal Vendor Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-041.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/160725/URVE-Software-Build-24.03.2020-Missing-Authorization.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Dec/48 Exploit,Mailing List,Third Party Advisory
https://urve.co.uk/system-rezerwacji-sal Vendor Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-041.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29551, you might also want to check these: