CVE-2022-29967
📋 TL;DR
CVE-2022-29967 is a directory traversal vulnerability in Glewlwyd's static_compressed_inmemory_website_callback.c component that allows attackers to access files outside the intended directory. This affects Glewlwyd authentication servers through version 2.6.2. Attackers can potentially read sensitive files on the server.
💻 Affected Systems
- Glewlwyd
📦 What is this software?
Glewlwyd by Glewlwyd Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, credentials, or private keys leading to authentication bypass or further system exploitation.
Likely Case
Unauthorized reading of sensitive files containing configuration data, user information, or system files that could enable further attacks.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Directory traversal vulnerabilities are commonly exploited with simple HTTP requests using path traversal sequences like '../'.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.3 and later
Vendor Advisory: https://github.com/babelouest/glewlwyd/commit/e3f7245c33897bf9b3a75acfcdb8b7b93974bf11
Restart Required: Yes
Instructions:
1. Update Glewlwyd to version 2.6.3 or later. 2. Restart the Glewlwyd service. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allBlock directory traversal patterns in HTTP requests
File System Restrictions
linuxSet strict file permissions and use chroot/jail for Glewlwyd process
chmod 750 /path/to/glewlwyd/data
chown glewlwyd:glewlwyd /path/to/glewlwyd/data
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Glewlwyd servers
- Deploy WAF with rules blocking path traversal patterns (../, ..\, etc.)
🔍 How to Verify
Check if Vulnerable:
Check if Glewlwyd version is 2.6.2 or earlier. Test with controlled directory traversal attempts to static endpoints.Check Version:
glewlwyd --version or check package manager (apt list --installed | grep glewlwyd)Verify Fix Applied:
Verify Glewlwyd version is 2.6.3 or later. Test that directory traversal attempts now return proper errors.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or similar traversal patterns
- Access to unexpected file paths in web logs
- Error responses from blocked traversal attempts
Network Indicators:
- HTTP requests with encoded traversal sequences (%2e%2e%2f)
- Multiple failed attempts to access parent directories
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")