CVE-2024-6049 Scanner
CVE-2024-6049 Scanner - Path Traversal vulnerability in Lawo AG vsm LTC Time Sync (vTimeSync)
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
30 days
Scan only one
Domain, IPv4
Toolbox
-
The vTimeSync software contains a path traversal vulnerability that allows unauthorized remote attackers to access restricted files on the operating system. This vulnerability is triggered by a specially crafted HTTP request that bypasses path restrictions. The attacker can leverage this flaw to retrieve sensitive files with specific extensions, such as .exe or .txt. This path traversal flaw may expose system files, potentially leading to information disclosure or further exploitation.
The vulnerability lies within the HTTP request handler, where insufficient validation allows the use of “...” (triple-dot) in URL paths to bypass directory restrictions. An attacker could craft a request containing multiple instances of “...” to reach sensitive directories. By targeting specific file extensions, the exploit gains access only to files that match the permissible extensions, such as configuration files or logs. This restriction, while limiting the scope, still allows the unauthorized exposure of important system information. The flaw can be exploited remotely without authentication, making it accessible to external threats.
If exploited, this vulnerability can expose sensitive data stored on the operating system, leading to potential data breaches. Attackers could leverage the exposed information to understand system configuration, gain insights into network settings, or extract files critical to the media production process. Such access might allow attackers to plan further intrusions, compromise other parts of the infrastructure, or manipulate time synchronization in media broadcasts, potentially causing delays or inaccuracies in content delivery.
By joining the S4E platform, you gain continuous, real-time insights into vulnerabilities like those affecting Lawo vTimeSync. Our tools empower you to detect and address security flaws efficiently, ensuring your systems remain compliant and secure. Enjoy access to advanced scanners, detailed reports, and actionable recommendations that help safeguard your network and media infrastructure. Join SecurityForEveryone to experience proactive, reliable security management and keep your assets protected against the latest vulnerabilities.
References:
- https://lawo.com/lawo-downloads/
- https://r.sec-consult.com/lawo
- https://packetstormsecurity.com/files/182347/Lawo-AG-vsm-LTC-Time-Sync-Path-Traversal.html
- https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-path-traversal-vulnerability-in-lawo-ag-vsm-ltc-time-sync-vtimesync/
- https://nvd.nist.gov/vuln/detail/cve-2024-6049