A critical security flaw in Kyocera’s Device Manager (CVE-2023-50916) has been revealed, presenting an opportunity for malicious activities on affected systems. Trustwave’s advisory emphasizes the potential exploitation of authentication attempts and the capture or relay of Active Directory hashed credentials. Additionally, QNAP Systems has addressed various vulnerabilities, including a high-severity prototype pollution flaw (CVE-2023-39296). This technical blog provides an in-depth analysis of the Kyocera Device Manager vulnerability, steps for exploitation, and insights into QNAP Systems’ security fixes.

Kyocera Device Manager Vulnerability (CVE-2023-50916):

Trustwave identifies CVE-2023-50916 as a path traversal flaw, allowing attackers to manipulate authentication attempts on Kyocera Device Manager. The vulnerability arises from improper input validation for the “path” parameter in the “/backup-restore-service/config/backup-path” endpoint. Exploiting this flaw permits the alteration of the backup location’s path to a Universal Naming Convention (UNC) path, leading to unauthorized access to client accounts and potential data theft. The environment configuration could also enable NTLM relay attacks.

Exploitation & Impact:

• Attack Vector: Malicious actors can coerce authentication attempts toward their resources, such as a malevolent SMB share.
• Credential Compromise: The compromise of Active Directory credentials becomes particularly severe if the ‘Restrict NTLM: Outgoing NTLM traffic to remote servers’ security policy is not enabled.
• Unauthorized Access: Altering the backup location’s path can lead to unauthorized access to clients’ accounts, potentially resulting in data theft.
• NTLM Relay Attacks: Depending on the environment configuration, the vulnerability may facilitate NTLM relay attacks.

QNAP Systems’ Security Fixes:

QNAP Systems has released fixes for several flaws across various products, addressing high-severity vulnerabilities. Notable among them is CVE-2023-39296, a prototype pollution vulnerability. Users should update to the latest versions, specifically QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110.

Other Notable Flaws:

• CVE-2023-47559: Cross-site scripting (XSS) vulnerability in QuMagie (Addressed in QuMagie 2.2.1 and later).
• CVE-2023-47560: Operating system command injection vulnerability in QuMagie (Addressed in QuMagie 2.2.1 and later).
• CVE-2023-41287: SQL injection vulnerability in Video Station (Addressed in Video Station 5.7.2 and later).
• CVE-2023-41288: Operating system command injection vulnerability in Video Station (Addressed in Video Station 5.7.2 and later).
• CVE-2022-43634: Unauthenticated remote code execution vulnerability in Netatalk (Addressed in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110).

Steps to Reproduce:

1. Authenticate to Kyocera Device Manager.
2. Attempt to modify the backup location and intercept the request to “/backup-restore-service/config/backup-path” using a web interception proxy like Burp Suite.
3. Modify the “path” URL parameter to the attacker-controlled UNC path.
4. Submit the request and observe the error message indicating that Kyocera Device Manager attempted to connect.
5. Verify on the attacker-controlled host that a connection has been made by the Kyocera Device Manager application, potentially including Windows NTLM hashes.

Remediation: Kyocera’s Response:

Kyocera has promptly addressed the vulnerability in version 3.1.1213.0 of Kyocera Device Manager. Users are strongly recommended to update their installations to mitigate potential risks associated with the identified vulnerabilities. The coordinated disclosure process between Trustwave and Kyocera exemplifies the importance of a proactive vendor response in maintaining cybersecurity resilience.