Abstract: Response for UNC path traversal security vulnerability
This bulletin describes a vulnerability present in Red Lion’s Crimson software where hash of a user’s password is at risk of being exploited when Crimson attempts to open a file specified in a UNC path. This vulnerability does not impact any existing hardware installations. It impacts Crimson software when a user is actively working on a configuration that contains references to external files. Customers should not open files originating from outside their organization and should upgrade their Crimson 3.0/3.1/3.2 software to the latest version.
CVSS v3.1 Base Vulnerability Score: 7.5
Hardware Products Affected:
Software Versions Affected:
- Crimson 3.0 707.000 or Below
- Crimson 3.1 3126.001 or Below
- Crimson 3.2 3.2.0044.0 or Below
Revision Information: 25 August 2022
Vulnerability: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The vulnerability allows the exploitation of a weakness in Windows whereby a hash of the user’s password will be sent to an arbitrary host upon attempting to open a file using a UNC path. For example, if an application tries to open a file with the name ‘\\bad.hacker.com\share\file.txt’, a request will be sent to the specified host on the hacker.com domain, allowing the owner of that domain to obtain the hash. Many Windows installations employ weak hashes that can be used to derive the original password, thus allowing compromise of user credentials.
Crimson databases may contain references to external files. For example, if an image is incorporated into a display page, the JPG or other file may be referenced by the database and accessed when Crimson opens the file. By constructing a database that contains references to UNC paths of the form described above, a bad actor can exploit the weakness in Windows and obtain the password of the user opening that file.
CVSS31 Base Score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Do not open files originating from outside the organization. Until the remedy is applied and in any case as matter of best practice, users should not open files that originate from outside their organization unless they can establish that said files came from a trusted source.
The following versions of Crimson have been modified to block this exploit:
- Crimson 3.0 Version 711.00;
- Crimson 3.1 Version 3126.02; and
- Crimson 3.2 Version 3.0045.
Crimson blocks the exploit by limiting the circumstances in which embedded UNC paths will be opened. An example of the kind of error received when Crimson blocks a UNC path is below.
While blocking all UNC paths might seem like a suitable remedy, it would adversely effects users who legitimately reference files using this method. Crimson thus applies a set of rules when considering whether to open a UNC file, or whether to block it and inform the user. Specifically, a file will be opened if the host on which it is located can be resolved to an IPv4 address, and if that address matches the subnet of one of the Ethernet or Wi-Fi adapters installed in the PC on which Crimson is executing, or one of the well-known private IP address ranges, namely 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the APIPA range of 169.254.0.0/16.
For information on whitelisting UNC paths, please see the following tech note: Crimson 3.x: Whitelisting UNC Paths.