CVE-2022-32272
📋 TL;DR
This vulnerability allows attackers to escalate privileges in OPSWAT MetaDefender products due to incorrect access control. Affected systems include MetaDefender Core, ICAP, and Email Gateway Security before specific versions. Attackers could gain administrative access to security systems.
💻 Affected Systems
- OPSWAT MetaDefender Core
- OPSWAT MetaDefender ICAP
- OPSWAT MetaDefender Email Gateway Security
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative access to security infrastructure, allowing attackers to disable protections, exfiltrate data, or pivot to other systems.
Likely Case
Unauthorized administrative access to MetaDefender management interfaces, enabling configuration changes, policy bypass, or data access.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts.
🎯 Exploit Status
Public exploit details available on Packet Storm, suggesting trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MetaDefender Core 5.1.2+, MetaDefender ICAP 4.12.1+, MetaDefender Email Gateway Security 5.6.1+
Vendor Advisory: https://docs.opswat.com/mdcore/release-notes
Restart Required: Yes
Instructions:
1. Download latest version from OPSWAT portal. 2. Backup configuration. 3. Install update following vendor documentation. 4. Restart services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to MetaDefender management interfaces to trusted IPs only
iptables -A INPUT -p tcp --dport [management_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [management_port] -j DROP
Access Control Lists
windowsImplement strict firewall rules to limit management interface access
netsh advfirewall firewall add rule name="Block MetaDefender Management" dir=in action=block protocol=TCP localport=[management_port] remoteip=any
🧯 If You Can't Patch
- Isolate MetaDefender systems in separate VLAN with strict access controls
- Implement network monitoring for unauthorized access attempts to management interfaces
🔍 How to Verify
Check if Vulnerable:
Check version in MetaDefender web interface or via API. Compare against affected versions.Check Version:
curl -k https://[metadefender_ip]:[port]/api/versionVerify Fix Applied:
Confirm version is 5.1.2+ for Core, 4.12.1+ for ICAP, or 5.6.1+ for Email Gateway. Test privilege escalation attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to administrative endpoints
- Privilege escalation attempts in application logs
- Configuration changes from non-admin users
Network Indicators:
- Unusual traffic to MetaDefender management ports from unexpected sources
- Authentication bypass patterns in HTTP requests
SIEM Query:
source="metadefender*" AND (event_type="auth_failure" OR event_type="privilege_escalation" OR endpoint="/api/admin/*")🔗 References
- http://packetstormsecurity.com/files/171549/OPSWAT-Metadefender-Core-4.21.1-Privilege-Escalation.html
- https://docs.opswat.com/mdcore/release-notes
- https://docs.opswat.com/mdemail/release-notes
- https://docs.opswat.com/mdemail/release-notes/version-5-6-1
- https://docs.opswat.com/mdicap/release-notes
- https://docs.opswat.com/mdicap/release-notes/version-4-12-1
- https://opswat.com
- http://packetstormsecurity.com/files/171549/OPSWAT-Metadefender-Core-4.21.1-Privilege-Escalation.html
- https://docs.opswat.com/mdcore/release-notes
- https://docs.opswat.com/mdemail/release-notes
- https://docs.opswat.com/mdemail/release-notes/version-5-6-1
- https://docs.opswat.com/mdicap/release-notes
- https://docs.opswat.com/mdicap/release-notes/version-4-12-1
- https://opswat.com
