Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-11698

Disclosure Date: September 17, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated

Description

An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.

Add Assessment

3
Ratings
Technical Analysis

SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as root due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.

The attack consists in abusing the SpamTitan Gateway UI SNMP Management Settings feature to inject dangerous SNMPD command directives into the SNMP server configuration file. This is can be done in two steps:

  1. Send an HTTP POST request to the snmp-x.php page with a specially crafted community parameter:
    ...[SNIP]...&community=<community>" <ip>\nextend <random name> <payload>.
    This will end up being added to snmp.conf like this:
    …[SNIP]...
    rocommunity "<community>" <ip>
    extend <random name> <payload>
    …[SNIP]...
  2. Send an SNMP Get-Request to correct OID to trigger the payload.

Since a proof o concept and a Metasploit module are available, it is highly recommended to upgrade to the latest available version.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • titanhq

Products

  • spamtitan 7.07
Technical Analysis