CVE-2020-15858 in DISinfo

Summary

by MITRE

Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented. This flash file system can store application-specific data and data needed for customer Java applications, TLS and OTAP (Java over-the-air-provisioning) functionality. The affected products and releases are: BGS5 up to and including SW RN 02.000 / ARN 01.001.06 EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04 ELS61 up to and including SW RN 02.002 / ARN 01.000.04 ELS81 up to and including SW RN 05.002 / ARN 01.000.04 PLS62 up to and including SW RN 02.000 / ARN 01.000.04

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/10/2020

The vulnerability CVE-2020-15858 represents a critical directory traversal flaw within Thales DIS (formerly Gemalto) embedded devices that affects multiple product lines including BGS5, EHSx, PDSx, ELS61, ELS81, and PLS62 series. This vulnerability stems from insufficient input validation and path access controls within the internal flash file system implementation, creating a pathway for unauthorized file system access that can be exploited by attackers with physical proximity to the target device. The flaw specifically impacts the device's ability to properly validate directory paths during file operations, allowing attackers to bypass intended security boundaries and potentially access sensitive application data, configuration files, and system resources. The vulnerability is particularly concerning because it requires only physical proximity to exploit, making it accessible to attackers who can directly interact with the device, and it affects devices that handle critical application-specific data, TLS certificates, and Java over-the-air provisioning functionality.

The technical exploitation of this vulnerability involves leveraging the insufficient path validation mechanisms to traverse the file system hierarchy and access files outside of the intended directories. Attackers can manipulate file path parameters to navigate to restricted areas of the flash file system where sensitive data resides, potentially including customer Java applications, TLS certificates, and other system-critical components. This directory traversal capability can lead to unauthorized data access, privilege escalation, and potentially full system compromise depending on the sensitive information stored within the affected file system areas. The vulnerability's impact is amplified by the fact that the affected devices operate in environments where physical access may be possible, such as industrial IoT deployments, mobile communication devices, and embedded systems where security by design principles are crucial for protecting against such attacks.

The operational impact of this vulnerability extends beyond simple data access issues and can severely compromise the security posture of affected deployments. Devices that store application-specific data, TLS certificates, and Java over-the-air provisioning components become vulnerable to attackers who can extract sensitive information, potentially leading to credential theft, man-in-the-middle attacks, or unauthorized system modifications. The vulnerability affects multiple generations of Thales DIS products, indicating a widespread issue that impacts various industrial and mobile communication platforms. Organizations using these devices in critical infrastructure, industrial control systems, or mobile network deployments face significant risks as attackers with physical proximity could compromise device integrity, access confidential information, or disrupt service availability. The vulnerability also represents a potential vector for lateral movement within networked environments where these devices may be connected to larger systems.

Mitigation strategies for this vulnerability should focus on both immediate remediation and long-term architectural improvements. Organizations should prioritize updating affected devices to patched firmware versions provided by Thales DIS, ensuring that all devices in their inventory are upgraded to versions that address the directory traversal vulnerability. Physical security measures must be strengthened to prevent unauthorized access to devices, including secure enclosures, tamper-evident seals, and restricted access controls for device locations. Network segmentation and monitoring should be implemented to detect potential exploitation attempts, while regular security assessments should be conducted to identify other potential vulnerabilities in the device ecosystem. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and represents a direct threat to the principles of least privilege and secure file system access control. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access through physical access vectors, emphasizing the importance of both network-based and physical security controls in protecting embedded systems.

Responsible

MITRE

Reservation

07/20/2020

Moderation

accepted

CPE

ready

EPSS

0.00786

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!