Nascent RemKon Multiple CVEs

Public disclosure of multiple CVEs found within the Nascent RemKon Device Manager firmware version 4.0.0.0 build BR017-00117-08

Nascent’s RemKon Device Manager is a web application that is deployed in logistic centers to serve as a “single pane of glass” for the management of various settings and configurations for Automated Gate Systems (AGS) and other Nascent products. Black Lantern Security (BLS) identified a total of 3 CVEs for this software during a customer engagement. CVE-2021-38611 allows for the execution of arbitrary commands during a file upload, CVE-2021-38612 is a directory traversal vulnerability, and CVE-2021-38613 allows for the upload of arbitrary files. Authentication is not required by default for this software.

CVE-2021-38611 and CVE-2021-38613

The RemKon Device Manager image upload function executes system commands to store uploaded files in /tmp. Due to this code using raw system commands with no filtering of user input, an attacker can append a semi colon to a file name in order to escape this function and execute arbitrary system commands. The arbitrary command execution vulnerability was assigned the ID CVE-2021-38611.

remkon device manager command injection Figure 1: Command Injection via File Upload.

Additionally, this PHP function does not perform any file type validation. Fortunately, as stated previously, uploaded files are stored in /tmp, so web shells are not able to be immediately accessed when this functionality is abused (but this concern is largely rendered moot with CVE-2021-38611). The arbitrary file upload was assigned the ID CVE-2021-38613.

remkon device manager arbitrary file upload Figure 2: Arbitrary File Upload.

CVE-2021-38612

The RemKon Device Manager also features a log reading function that does not sanitize user input, allowing an attacker to read files on the underlying server (including source code for the web application). The directory traversal vulnerability was assigned the ID CVE-2021-38612.

remkon device manager directory traversal Figure 3: Directory Traversal.

Nascent was informed regarding the nature of these vulnerabilities shortly after their discovery. The newest version of the RemKon Device Manager remediates the identified issues.

Timeline

email 2020-04-02 Contacted Nascent to report the vulnerabilities email 2021-08-12 Contacted MITRE to request CVEs check_box 2021-08-12 MITRE responded with CVE IDs CVE-2021-38611, CVE-2021-38612, CVE-2021-38613 article 2021-08-23 Public Disclosure

© 2020 | All rights reserved | 1834 Summerville Avenue | Suite 250 | North Charleston, SC | 29405 | 843.991.4612