CVE-2022-46902 - Vulnerability in Vocera Report Server and Voice Server 5.x through 5.8: Path Traversal Exploitation and Database Compromise

A security issue has been recently discovered in Vocera Report Server and Voice Server versions 5.x through 5.8, which allows attackers to exploit a Path Traversal vulnerability during a database restoration operation utilizing a ZIP archive. The main issue originates from the Vocera Report Console's websocket function responsible for the extraction of SQL import files from the archive.

Exploit Details

The Vocera Report Console's websocket function is designed to restore the database from a ZIP archive, which is supposed to contain an SQL import file. However, during the extraction process, the code does not validate the file paths provided within the archive and directly writes them to a Vocera temporary directory, without sanitizing the input.

This lack of proper input validation can be exploited by an attacker to create a specially crafted ZIP archive containing directory traversal payloads. When this malicious archive is processed by the Vocera Report Server, it can result in unintended files being overwritten or new files being created outside of the intended destination, potentially compromising the system.

Code Snippet Example

import zipfile

def extract_zip(zip_file):
    with zipfile.ZipFile(zip_file, 'r') as zf:
        for entry in zf.infolist():
            target_path = os.path.join('/vocera_temp/', entry.filename)
            # The problem lies in the next line.
            target_path = os.path.normpath(target_path)
            # This line should be added to properly validate and check for directory traversal payloads:
            # if not target_path.startswith('/vocera_temp/'):
            #     continue
            with zf.open(entry) as f:
                with open(target_path, 'wb') as output:
                    output.write(f.read())

Original References

The details of the vulnerability have been reported and documented in the following resources:
1. National Vulnerability Database (NVD)
2. Vocera Security Advisory

Mitigation

To remediate the vulnerability, users of Vocera Report Server and Voice Server 5.x through 5.8 should immediately apply the security patch provided by the vendor as mentioned in their official security advisory. As a temporary solution, it is also advised to avoid restoring the database from a ZIP archive, especially if the source of the archive is unknown or untrusted.

Conclusion

The Path Traversal vulnerability in Vocera Report Server and Voice Server 5.x through 5.8 (CVE-2022-46902) is a serious security risk that can potentially lead to database compromise and system hijacking. Users should apply the provided security patch and follow the company's recommendations to further secure their Vocera deployments. This incident is a reminder that software developers must be vigilant in validating and sanitizing user inputs, especially in critical processes like database restoration, to mitigate the risk of exploitation.

Timeline

Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/04/2023 18:19:00 UTC