Vulners
Lucene search
RoyalTS SSH Tunnel Authentication Bypass Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Royal TS Authentication Bypass Vulnerability | 10 Jun 202000:00 | – | cnvd |
 | CVE-2020-13872 | 9 Jun 202018:32 | – | cve |
 | CVE-2020-13872 | 9 Jun 202018:32 | – | cvelist |
 | EUVD-2020-6080 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-13872 | 9 Jun 202019:15 | – | nvd |
 | CVE-2020-13872 | 9 Jun 202019:15 | – | osv |
 | Authentication flaw | 9 Jun 202019:15 | – | prion |
 | PT-2020-13744 · Royal Ts · Royal Ts | 9 Jun 202000:00 | – | ptsecurity |
RoyalTS SSH Tunnel - Authentication Bypass
===============================================================================
Identifiers
-------------------------------------------------
* CVE-2020-13872
CVSSv3 score
-------------------------------------------------
8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1
)
Vendor
-------------------------------------------------
RoyalApps - https://www.royalapps.com/
Product
-------------------------------------------------
Royal TS provides powerful, easy and secure access to your remote
systems.
It's the perfect tool for server admins, system engineers, developers
and IT focused information workers
who constantly need to access remote systems with different protocols
(like RDP, VNC, SSH, HTTP/S, and many more.).
Affected versions
-------------------------------------------------
- All versions prior to RoyalTS v5 for Windows.
Credit
-------------------------------------------------
Michele Toccagni - toccagni.info
Vulnerability summary
-------------------------------------------------
This vulnerability allows a remote attackers to bypass the
authentication of the tunnel
and gain access to an internal network. The problem is that, once a
SSH tunnel is created on the bridge host with a Secure Gateway, this
tunnel will listen on the address 0.0.0.0 on the port opened ad hoc by
RoyalTS (higher than 50000), leaving the possibility for anyone to
exploit the tunnel without having to authenticate to it.
The attacker could easily bruteforce the ssh/rdp login in the internal
network, or,
even worse, if the hosts aren't patched, could use some known exploits
and perform lateral movements.
The vulnerability is fixed in the current major release (Royal TS V5).
Proof of concept
-------------------------------------------------
I wrote a detailed blog post to explain the bug:
https://hacktips.it/royalts-ssh-tunnel-authentication-bypass/
Solution
-------------------------------------------------
Upgrade to RoyalTS V5 for Windows
Timeline
-------------------------------------------------
Date | Status
------------|---------------------
04-JUN-2020 | Reported to vendor
04-JUN-2020 | Vendor replied that it's a known bug and it's fixed on the
last major version
06-JUN-2020 | CVE assigned
08-JUN-2020 | Public disclosure
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 23.3
CVSS 3.18.8
EPSS0.00708