CVE-2022-46902 in Report Server
Summary
by MITRE • 07/25/2023
An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is a Path Traversal for an Unzip operation. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. During the unzip operation, the code takes file paths from the ZIP archive and writes them to a Vocera temporary directory. Unfortunately, the code does not properly check if the file paths include directory traversal payloads that would escape the intended destination.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/30/2024
The vulnerability identified as CVE-2022-46902 represents a critical path traversal flaw within Vocera Report Server and Voice Server versions 5.x through 5.8. This issue stems from inadequate input validation during decompression operations, creating a significant security risk that can be exploited by malicious actors to gain unauthorized access to system resources. The vulnerability specifically affects the websocket functionality within the Vocera Report Console which handles database restoration operations from ZIP archives containing SQL import files. The flaw manifests when the system processes file paths extracted from ZIP archives without proper sanitization, allowing attackers to manipulate the extraction process through carefully crafted directory traversal sequences.
The technical implementation of this vulnerability follows a classic path traversal pattern where the system accepts unvalidated file paths from external sources and directly uses them in file system operations. During the unzip operation, the code extracts file paths from the ZIP archive and attempts to write them to a designated temporary directory within the Vocera environment. However, the lack of proper validation mechanisms means that maliciously crafted file paths containing sequences such as "../" or "..\\" can bypass the intended destination restrictions. This allows attackers to write files outside of the designated temporary directory, potentially overwriting critical system files or creating malicious files in sensitive locations within the server filesystem.
From an operational impact perspective, this vulnerability poses severe risks to organizations utilizing Vocera systems, particularly those in healthcare environments where data integrity and security are paramount. The ability to perform path traversal during database restoration operations could enable attackers to escalate privileges, modify critical system components, or inject malicious code into the server environment. The vulnerability's exploitation potential extends beyond simple file access, as it could facilitate broader system compromise through the ability to manipulate the database restoration process. Security professionals should note that this flaw aligns with CWE-22 Path Traversal and follows attack patterns consistent with those documented in the MITRE ATT&CK framework under techniques related to privilege escalation and persistence mechanisms.
The recommended mitigations for this vulnerability include immediate patching of affected Vocera Report Server and Voice Server installations to versions that properly sanitize file paths during decompression operations. Organizations should also implement network segmentation and access controls to limit exposure of the affected systems to untrusted networks. Additional defensive measures include monitoring for unusual file system activity patterns, implementing proper input validation for all external data sources, and conducting regular security assessments of critical infrastructure components. Security teams should also consider implementing automated vulnerability scanning tools that can detect similar path traversal patterns in other applications and systems within their environment to prevent similar issues from occurring across their infrastructure.