CVE-2022-47561
📋 TL;DR
This vulnerability allows unauthenticated attackers to access the admin.xml file containing plaintext credentials for all users, including administrators. Attackers can use these credentials to log in as any user and perform malicious actions. All systems running affected Ormazabal products with default configurations are vulnerable.
💻 Affected Systems
- Ormazabal products (specific models not detailed in provided references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, modify configurations, disrupt operations, and potentially pivot to other systems.
Likely Case
Attackers steal credentials, gain unauthorized access to the web application, and perform actions within the application's permissions.
If Mitigated
Limited impact with proper network segmentation and monitoring, though credentials would still be exposed.
🎯 Exploit Status
Exploitation requires only accessing a specific file path via HTTP request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products
Restart Required: Yes
Instructions:
1. Contact Ormazabal for patching information. 2. Apply vendor-provided patches. 3. Restart affected services. 4. Verify admin.xml file is no longer accessible without authentication.
🔧 Temporary Workarounds
Restrict access to admin.xml
allConfigure web server to block access to admin.xml file
# For Apache: Add to .htaccess or virtual host config
<Files "admin.xml">
Require all denied
</Files>
# For Nginx: Add to server block
location = /admin.xml {
deny all;
return 404;
}
Implement authentication requirement
allRequire authentication for all administrative file access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Implement credential rotation for all users and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access /admin.xml via web browser or curl without authentication: curl -v http://target/admin.xmlCheck Version:
Check product documentation or contact vendor for version informationVerify Fix Applied:
Verify admin.xml returns 403/404 when accessed without authentication and credentials are no longer stored in plaintext📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /admin.xml requests
- Failed login attempts followed by successful logins from new IPs
- Administrative actions from unusual locations/times
Network Indicators:
- HTTP GET requests to /admin.xml from unauthorized IPs
- Sudden increase in authentication requests
SIEM Query:
source="web_logs" AND (uri="/admin.xml" OR status=200 AND uri CONTAINS "admin.xml")