CVE-2023-34394
📋 TL;DR
Keysight Geolocation Server v2.4.2 and earlier contain a path traversal vulnerability that allows attackers to upload malicious files or delete arbitrary files/directories with SYSTEM privileges. This can lead to local privilege escalation or denial-of-service conditions. Organizations using affected versions of this geolocation server software are at risk.
💻 Affected Systems
- Keysight Geolocation Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation to SYSTEM, allowing installation of persistent malware, data destruction, or disabling of critical services.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive data, system configuration changes, or service disruption through file deletion.
If Mitigated
Limited impact with proper network segmentation, file integrity monitoring, and least privilege principles in place.
🎯 Exploit Status
Path traversal vulnerabilities typically have low exploitation complexity once access is obtained. Requires some level of access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.4.3 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02
Restart Required: Yes
Instructions:
1. Download latest version from Keysight support portal
2. Backup current configuration and data
3. Install updated version following vendor instructions
4. Restart the Geolocation Server service
5. Verify functionality
🔧 Temporary Workarounds
Restrict File System Access
windowsApply strict file system permissions to limit what the Geolocation Server service can access
icacls "C:\Program Files\Keysight\Geolocation Server" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(DE,DC)"
Network Segmentation
allIsolate Geolocation Server from other critical systems and restrict access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable system
- Deploy file integrity monitoring to detect unauthorized file changes or deletions
🔍 How to Verify
Check if Vulnerable:
Check installed version via Control Panel > Programs and Features or by examining the application directoryCheck Version:
wmic product where name="Keysight Geolocation Server" get versionVerify Fix Applied:
Verify version is v2.4.3 or later and test file upload/delete functionality with path traversal attempts📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Geolocation Server
- File deletion events in system logs
- Failed path traversal attempts in application logs
Network Indicators:
- Unusual outbound connections from Geolocation Server
- File transfer patterns to/from the server
SIEM Query:
source="windows_security" EventCode=4663 ObjectName="*Geolocation*" OR source="application" message="*upload*" OR "*delete*"