Bastion Security

Spectrum Spatial Analyst 20.1 — Multiple issues

Jack Moran discovered a Server-Side Request Forgery vulnerability and a Path Traversal sequence that leads to an authentication bypass in Precisely Spectrum Spatial Analyst version 2020.1.0 S44. Spectrum Spatial Analyst is an interactive mapping and
Talk to an expert

Introduction

During an engagement, Jack Moran from ZX Security discovered a Server-Side Request Forgery (SSRF) and a Path Traversal sequence within the Precisely Spectrum Spatial Analyst ecosystem.

The Vulnerability

Precisely Spectrum Spatial Analyst is an interactive mapping and analysis application, part of the Precisely Spectrum Spatial suite. It is an off the shelf product that offers a range of features out of the box to create and modify ‘vector thematic maps and reports’[1]. Precisely Spectrum Spatial Analyst offers an interactive mapping service and provides ‘access to mapping and geographic-based information, addresses and postcode searches’

.

November 16, 2022

Server-Side Request Forgery

What is Server-Side Request Forgery?
Server-Side Request Forgery allows a threat actor to induce the back-end server of a vulnerable application to make requests. These requests can be used to target internal systems that are not initially accessible from the internet.

Where was the Server-Side Request Forgery?
The Server-Side Request Forgery issue was discovered in the /connect/analyst/controller/externalTileServiceProxy endpoint. This endpoint accepted an arbitrary URL as part of the REQUEST_URL= parameter. When the request is made, the server-side application is induced to make a request to an unintended location and embed the associated response. An example request can be seen below:

GET /connect/analyst/controller/externalTileServiceProxy?MAP_URL=[REDACTED]&REQUEST_URL=[REDACTED]&TYPE=XYZ&mapcfg=[REDACTED]&TILE_PROFILE=/Analyst/NamedExternalTilingConfigurations/Drone HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42183

Path Traversal Sequence Leads To Authentication Bypass

What is Path Traversal?
Path Traversal vulnerabilities allows a threat actor to request and access files and directories within a vulnerable application, which are usually protected or restricted by authentication methods.

Where was the Path Traversal Sequence?
The Path Traversal sequence vulnerability was discovered on multiple endpoints that accepted an arbitrary URL via the URL= parameter. Unlike traditional Path Traversals which requests a file or directory, this Path Traversal sequence allowed the inclusion of previously authenticated SOAP and REST API endpoints within the platform. Allowing additional functionality to be used bypassing the BASIC authentication that was previously preventing access to them. An example request can be seen below:

GET /connect/analyst/controller/connectProxy/rest/Spatial/ProjectService?url=../../../soap/&now=1655252233022 HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42182

Vulnerability Disclosure Timeline:

  • 19/08/2022 - ZX Security was sent confirmation that the vulnerabilities are being addressed by the vendor in the next release.
  • 08/10/2022 - Version 2022.1.0 S06 Released.
  • 18/10/2022 - CVE-2022-42182 and CVE-2022-42183 Reserved.
  • 16/11/2022 - Blog published :).

References


Service Development Manager
Government Agency
"Great service, clear, detailed and precise information on what our vulnerabilities were and what needs addressing. Couldn't have been easier to deal with and very professional."
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness, sharpens instincts and turns everyday staff into assets.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making