Warning: two critical RCE vulnerabilities in Lansweeper
Lansweeper has patched 2 critical vulnerability in their product Lansweeper that could be exploited by a remote unauthenticated attacker. This leads to arbitrary file upload and Remote Code Execution (RCE).
The attack does not require any user interaction and can be executed remotely without privileges.
The impact to confidentiality, integrity and availability is high.
The Centre for Cybersecurity Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
On the 29th of November 2022 Lansweeper released an update addressing several issues. Two of these are critical vulnerabilities: CVE-2022-29517 and CVE-2022-32573.
Both of these vulnerabilities are related to CWE22 which is a directory traversal vulnerability. An attacker can send a specially-crafted HTTP request that can lead to arbitrary file upload.
CVE-2022-29517 is related with the following action in Lansweeper: “Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template -> add inline file”. The vulnerable code for this action is located in the “LS\WS\HelpdeskActions.cs” file.
CVE-2022-32573 is related with the following action in Lansweeper: ”Assets -> choose any asset -> Docs -> Add document”. The vulnerable code for this action is located in the “\LS\WS\AssetActions.cs file.”
Update Lansweeper to the latest version as described in Lansweeper Changelog - Lansweeper.com.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.