CVE-2023-38126
📋 TL;DR
This vulnerability allows authenticated remote attackers to execute arbitrary code as root on Softing edgeAggregator installations by exploiting a directory traversal flaw in backup zip file processing. The lack of path validation enables attackers to write malicious files outside intended directories. Organizations using vulnerable versions of Softing edgeAggregator are affected.
💻 Affected Systems
- Softing edgeAggregator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing complete control over the affected system, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Authenticated attackers gaining root shell access to execute arbitrary commands, potentially leading to data exfiltration, service disruption, or ransomware deployment.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring preventing successful exploitation attempts.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. The vulnerability is well-documented in ZDI advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.30.0 and later
Vendor Advisory: https://industrial.softing.com/fileadmin/psirt/downloads/syt-2023-10.html
Restart Required: Yes
Instructions:
1. Download edgeAggregator version 1.30.0 or later from Softing. 2. Backup current configuration. 3. Stop edgeAggregator service. 4. Install updated version. 5. Restart edgeAggregator service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable Backup/Restore Functionality
allTemporarily disable backup and restore features if not required for operations
# Check edgeAggregator configuration for backup settings
# Disable backup-related endpoints in configuration
Network Access Restrictions
linuxRestrict network access to edgeAggregator management interface
# Example iptables rule: iptables -A INPUT -p tcp --dport <edgeAggregator-port> -s <trusted-ips> -j ACCEPT
# Then: iptables -A INPUT -p tcp --dport <edgeAggregator-port> -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate edgeAggregator from critical systems
- Enforce multi-factor authentication and strong password policies for all edgeAggregator accounts
🔍 How to Verify
Check if Vulnerable:
Check edgeAggregator version: if version is below 1.30.0, system is vulnerableCheck Version:
Check edgeAggregator web interface or configuration files for version informationVerify Fix Applied:
Verify edgeAggregator version is 1.30.0 or higher and check that backup/restore functionality works without directory traversal📡 Detection & Monitoring
Log Indicators:
- Unusual backup/restore activity from non-standard IPs
- Multiple failed authentication attempts followed by backup operations
- File write operations outside expected backup directories
Network Indicators:
- HTTP POST requests to backup/restore endpoints with unusual parameters
- Traffic patterns suggesting file uploads to backup functionality
SIEM Query:
source="edgeAggregator" AND (event="backup" OR event="restore") AND src_ip NOT IN [allowed_ips]