CVE-2023-3349
📋 TL;DR
An unauthenticated information exposure vulnerability in IBERMATICA RPS 2019 allows attackers to access sensitive data by triggering logging through a specific URL. This affects all deployments of IBERMATICA RPS 2019 with the vulnerable component exposed. Attackers can retrieve usernames, IP addresses, SQL queries, and other sensitive information without authentication.
💻 Affected Systems
- IBERMATICA RPS 2019
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive business data including database credentials, user information, and internal network details leading to further attacks.
Likely Case
Exposure of user credentials, internal IP addresses, and SQL queries that could facilitate SQL injection or credential stuffing attacks.
If Mitigated
Limited exposure of non-critical information with proper access controls and network segmentation in place.
🎯 Exploit Status
Simple HTTP GET request to trigger vulnerability, no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019
Restart Required: No
Instructions:
No official patch available. Apply workarounds and monitor vendor for updates.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
allRestrict access to /RPS2019Service/status.html via web server configuration or firewall rules.
# For Apache: add to .htaccess or virtual host config
<Location "/RPS2019Service/status.html">
Order deny,allow
Deny from all
</Location>
# For IIS: Use URL Rewrite rule to block access to the specific path
Disable Logging Feature
windowsModify application configuration to disable the logging mechanism triggered by the vulnerable endpoint.
# Check application configuration files for logging settings
# Look for RPS2019Service configuration and disable status logging
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RPS 2019 from internet access.
- Deploy web application firewall (WAF) with rules to block requests to /RPS2019Service/status.html.
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to http://[target]/RPS2019Service/status.html and check if log file is generated or sensitive information is returned.Check Version:
Check application documentation or interface for version information. Typically found in about section or installation directory.Verify Fix Applied:
After applying workarounds, test that requests to /RPS2019Service/status.html return 403/404 error or are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /RPS2019Service/status.html endpoint
- Multiple requests generating log files from unauthenticated sources
Network Indicators:
- HTTP GET requests to /RPS2019Service/status.html from external IPs
- Unusual download patterns for log files
SIEM Query:
source="web_server" AND (url="/RPS2019Service/status.html" OR user_agent="*" AND status=200)