Whereas performing penetration testing, nevertheless, a Trustwave researcher was in a position to intercept and modify the entry request utilizing an internet interception proxy (Burp suite) or by sending the request on to the appliance endpoint. This allowed UNC paths to be set as backup areas.
“Trustwave SpiderLab’s Senior Technical Specialist, Jordan Hedges, found an improper enter validation for the “path” parameter accepted by the “/backup-restore-service/config/backup-path” endpoint which handles requests from the UI to set the database backup location,” Trustwave stated in a weblog publish. “He submitted a backup path that may go the UI validation after which intercepted the shopper request post-validation to change the trail parameter worth to a UNC path beneath his management.”
Whereas there is no such thing as a workaround to this vulnerability, Kyocera has rolled out a security replace with a patch that implements a validation perform, that if a path is modified to an invalid path, the invalid path is ignored and the unique legitimate path continues to be utilized.
The affected gadgets embody those working the unpatched newest model of Kyocera’s Machine Supervisor that helps set up on Home windows Server 2012/2016/2019/2022 and Home windows 10 and Home windows 11.
UNC authentication makes an attempt can enable credential relaying
Trying to set the UNC path for the backup location triggers the system supervisor to provoke authenticating the share by means of NTLM (NT LAN Supervisor) protocols which, relying on a sure system configuration, permits credentials leakage.
Credentials leakage right here refers back to the seize or relay of Energetic Listing hashed credentials if the “Prohibit NTLM: Outgoing NTLM visitors to distant servers” security coverage shouldn’t be enabled, in line with the publish.