SpinetiX-SA-20:01

This page relates to security advisories.

RSS proxy server-side request forgery (SSRF) and path traversal

Mitigation

Exploiting the attack requires authentication with a user with admin or content edit rights. Using proper passwords for all users mitigates the attack.

Details

The RSS proxy service (rssProxy.php endpoint) lacked proper validation of the URI parameter and was susceptible to path traversal and Server-Side Request Forgery (SSRF) attacks. An attacker could obtain access to protected player files or make requests to internal player services posing as localhost, potentially disclosing protected data. This is partially mitigated by the fact that the script runs with limited rights and the exploit requires to be authenticated as a user with admin or content edit rights.

The URI validation fix in firmware 4.5.3 fixed path traversal and the most obvious SSRF attacks but failed to cover other cases like HTTP redirects to protected resources. Firmware 4.6.0 extends the validation to carefully validate all HTTP redirects. The URI validation in firmware 4.6.0 is still vulnerable to time of check to time of use based attacks using short-lived DNS records, but exploiting it is significantly more difficult and gives no access to otherwise protected information.

The RSS proxy service (rssProxy.php endpoint) is no longer included in the firmware for HMP400, HMP400W and DSOS on third party devices as it is not needed on these devices. It remains included in the firmware for DiVA, HMP300 and HMP350 devices as it is used by the content management interface included in these devices.

CVE-2020-15809

• CVSS Base Score: 6.5 (medium)
• CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

Acknowledgment

SpinetiX thanks Smaury from Shielder Srl for reporting the issue and collaboration in reviewing the fixes.

Revisions

1. March 22, 2021: Initial public release
2. March 27, 2021: Updated CVSS base score and vector to match NVD