CVE-2023-28937
📋 TL;DR
DataSpider Servista versions 4.4 and earlier use a hard-coded cryptographic key in ScriptRunner components, allowing attackers who gain access to a Launch Settings file to decrypt and execute operations with user privileges. This affects DataSpider Servista and some OEM products. The vulnerability enables privilege escalation and unauthorized system access.
💻 Affected Systems
- DataSpider Servista
- ScriptRunner
- ScriptRunner for Amazon SQS
- OEM products using DataSpider Servista
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where attackers decrypt Launch Settings files to execute arbitrary commands with elevated privileges, potentially leading to data theft, system manipulation, or ransomware deployment.
Likely Case
Privilege escalation allowing attackers to perform unauthorized operations within DataSpider Servista, potentially accessing sensitive data or disrupting business processes.
If Mitigated
Limited impact if proper access controls prevent attackers from obtaining Launch Settings files, though the hard-coded key remains a persistent weakness.
🎯 Exploit Status
Exploitation requires access to Launch Settings files, but once obtained, using the hard-coded key is straightforward. No public exploit code is known, but the vulnerability is simple to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.5 or later
Vendor Advisory: https://cs.wingarc.com/ja/download/000016244
Restart Required: Yes
Instructions:
1. Download and install DataSpider Servista version 4.5 or later from the vendor website. 2. Apply the update to all affected components including ScriptRunner. 3. Restart all DataSpider Servista services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Access to Launch Settings Files
linuxLimit file system permissions to prevent unauthorized access to Launch Settings files.
chmod 600 /path/to/launch_settings/*.xml
chown root:root /path/to/launch_settings/*.xml
Network Segmentation
allIsolate DataSpider Servista instances from untrusted networks and limit internal access.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from accessing Launch Settings files.
- Monitor for unusual activity or access attempts to DataSpider Servista configuration files and directories.
🔍 How to Verify
Check if Vulnerable:
Check DataSpider Servista version via administration console or configuration files. Versions 4.4 and earlier are vulnerable.Check Version:
Check version in DataSpider Servista administration interface or configuration files (version varies by installation method).Verify Fix Applied:
Confirm version is 4.5 or later and verify that ScriptRunner components have been updated.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Launch Settings files
- Unusual ScriptRunner execution patterns
- Failed authentication attempts followed by successful privileged operations
Network Indicators:
- Unexpected network connections from DataSpider Servista hosts
- Traffic patterns indicating data exfiltration
SIEM Query:
source="DataSpider Servista" AND (event="File Access" AND file="*launch_settings*") OR (event="Privilege Escalation")🔗 References
- https://cs.wingarc.com/ja/download/000016244
- https://cs.wingarc.com/ja/download/000022448
- https://cs.wingarc.com/ja/download/000023565
- https://jvn.jp/en/jp/JVN38222042/
- https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf
- https://www.hulft.com/download_file/18675
- https://www.justsystems.com/jp/services/actionista/info/20230519_001/
- https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf
- https://cs.wingarc.com/ja/download/000016244
- https://cs.wingarc.com/ja/download/000022448
- https://cs.wingarc.com/ja/download/000023565
- https://jvn.jp/en/jp/JVN38222042/
- https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf
- https://www.hulft.com/download_file/18675
- https://www.justsystems.com/jp/services/actionista/info/20230519_001/
- https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf
