PT-2020-20296 · Gurux · Gurux Gxdlms Director

Maciej Miszczyk

Published

2020-02-25

Updated

2020-03-04

CVE-2020-8810

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gurux GXDLMS Director versions prior to 8.5.1905.1301

Description The issue allows an attacker to send executable files and place them in an autorun directory, or to place DLLs inside the existing GXDLMS Director installation. This can be used to achieve code execution even if the user doesn't have any add-ins installed. The problem occurs when downloading OBIS codes, as it does not verify that the downloaded files are actual OBIS codes and doesn't check for path traversal.

Recommendations For Gurux GXDLMS Director versions prior to 8.5.1905.1301, update to a version that includes the necessary security fixes to prevent path traversal and verify the authenticity of downloaded OBIS codes.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-8810

Affected Products

Gurux Gxdlms Director

PT-2020-20296 · Gurux · Gurux Gxdlms Director

CVE-2020-8810

Weakness Enumeration

Related Identifiers

Affected Products

References · 6