Lucene search

HistoryJun 05, 2023 - 12:00 a.m.

Schweitzer Engineering Laboratories RTAC Path Traversal (CVE-2023-31166)

2023-06-0500:00:00

www.tenable.com

schweitzer engineering laboratories

rtac

path traversal

cve-2023-31166

sel rtac

vulnerability

tenable.ot

security advisory

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

49.8%

JSON

An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to create folders in arbitrary paths of the file system. See SEL Service Bulletin dated 2022-11-15 for more details.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501182);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/24");

  script_cve_id("CVE-2023-31166");

  script_name(english:"Schweitzer Engineering Laboratories RTAC Path Traversal (CVE-2023-31166)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in the Schweitzer Engineering Laboratories
Real-Time Automation Controller (SEL RTAC) Web Interface could allow a
remote authenticated attacker to create folders in arbitrary paths of
the file system. See SEL Service Bulletin dated 2022-11-15 for more
details.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://selinc.com/support/security-notifications/external-reports/");
  script_set_attribute(attribute:"see_also", value:"https://www.nozominetworks.com/blog/");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-31166");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-2241_rtac_module_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3350_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3505-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3505_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3530-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3530_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3532_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3555_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3560e_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:selinc:sel-3560s_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/SEL");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/SEL');

var asset = tenable_ot::assets::get(vendor:'SEL');

var vuln_cpes = {
    "cpe:/o:selinc:sel-2241_rtac_module_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r126-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3350_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r148-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3505_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r126-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3505-3_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r132-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3530_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r126-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3530-4_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r126-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3532_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r132-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3555_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r134-v0", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3560e_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r144-v2", "family" : "Rtac"},
    "cpe:/o:selinc:sel-3560s_firmware" :
        {"versionEndExcluding" : "r150-v2", "versionStartIncluding" : "r144-v2", "family" : "Rtac"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
selincsel-2241_rtac_module_firmwarecpe:/o:selinc:sel-2241_rtac_module_firmware
selincsel-3350_firmwarecpe:/o:selinc:sel-3350_firmware
selincsel-3505-3_firmwarecpe:/o:selinc:sel-3505-3_firmware
selincsel-3505_firmwarecpe:/o:selinc:sel-3505_firmware
selincsel-3530-4_firmwarecpe:/o:selinc:sel-3530-4_firmware
selincsel-3530_firmwarecpe:/o:selinc:sel-3530_firmware
selincsel-3532_firmwarecpe:/o:selinc:sel-3532_firmware
selincsel-3555_firmwarecpe:/o:selinc:sel-3555_firmware
selincsel-3560e_firmwarecpe:/o:selinc:sel-3560e_firmware
selincsel-3560s_firmwarecpe:/o:selinc:sel-3560s_firmware

Vendor	Product	CPE
selinc	sel-2241_rtac_module_firmware	cpe:/o:selinc:sel-2241_rtac_module_firmware
selinc	sel-3350_firmware	cpe:/o:selinc:sel-3350_firmware
selinc	sel-3505-3_firmware	cpe:/o:selinc:sel-3505-3_firmware
selinc	sel-3505_firmware	cpe:/o:selinc:sel-3505_firmware
selinc	sel-3530-4_firmware	cpe:/o:selinc:sel-3530-4_firmware
selinc	sel-3530_firmware	cpe:/o:selinc:sel-3530_firmware
selinc	sel-3532_firmware	cpe:/o:selinc:sel-3532_firmware
selinc	sel-3555_firmware	cpe:/o:selinc:sel-3555_firmware
selinc	sel-3560e_firmware	cpe:/o:selinc:sel-3560e_firmware
selinc	sel-3560s_firmware	cpe:/o:selinc:sel-3560s_firmware

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31166

selinc.com/support/security-notifications/external-reports/

www.nozominetworks.com/blog/

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

49.8%

JSON

Related for TENABLE_OT_SEL_CVE-2023-31166.NASL