CVE-2023-25803
📋 TL;DR
CVE-2023-25803 is a directory traversal vulnerability in Roxy-WI web interface that allows attackers to read arbitrary server-side files. This affects all Roxy-WI installations prior to version 6.3.5.0. Organizations using vulnerable versions to manage Haproxy, Nginx, Apache, or Keepalived servers are at risk.
💻 Affected Systems
- Roxy-WI
📦 What is this software?
Roxy Wi by Roxy Wi
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive configuration files, credentials, or system files, potentially leading to full system compromise and lateral movement across managed infrastructure.
Likely Case
Unauthorized access to configuration files containing passwords, API keys, or SSL certificates, enabling further attacks against managed services.
If Mitigated
Limited to reading non-sensitive files if proper file permissions and network segmentation are implemented.
🎯 Exploit Status
Directory traversal vulnerabilities are trivial to exploit with simple HTTP requests. Public advisories include technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.5.0
Vendor Advisory: https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-cv9w-j9gh-5j3w
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Roxy-WI to version 6.3.5.0 or later using git pull or package update. 3. Restart Roxy-WI service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Roxy-WI web interface to trusted IP addresses only.
iptables -A INPUT -p tcp --dport [roxy-wi-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [roxy-wi-port] -j DROP
Web Server Configuration Hardening
linuxConfigure web server to block directory traversal patterns in URLs.
# For Apache: add to .htaccess: RewriteRule \.\./ - [F]
# For Nginx: location ~ /\.\./ { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Roxy-WI from sensitive systems
- Apply strict file permissions to limit readable files to minimum necessary
🔍 How to Verify
Check if Vulnerable:
Check Roxy-WI version. If version is below 6.3.5.0, the system is vulnerable.Check Version:
grep 'version' /path/to/roxy-wi/config.py or check web interface footerVerify Fix Applied:
Confirm version is 6.3.5.0 or higher and test that directory traversal attempts return error responses.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns in URL parameters
- Access to unexpected file paths in web logs
Network Indicators:
- HTTP GET requests with directory traversal sequences to Roxy-WI endpoints
SIEM Query:
source="web_logs" AND url="*../*" AND dest_port="[roxy-wi-port]"