Vulnerability found in Virtual Reception Kiosk
We are proud to announce that the vulnerability CVE-2023-25289, discovered by security researchers from Spinae, has been recognized.
During a Pentest for a customer, our security researcher Mattias noticed a virtual reception kiosk was being used to register visitors.
During the internal pentest part of our Security MRI, the internal network of the customer is scanned to discover what devices are connected to the customers’ network. Mattias discovered that the Kiosk was connected to the internal network of the customer. Upon closer investigation, the kiosk was an Intel NUC running Microsoft Windows 7 with the kiosk software.
After testing the machine, we noticed that you could traverse the directory of the machine through a web browser by entering the IP-address of the machine and a directory path.
For example, you could open the windows host file by entering the following path in the browser:
What can be done with this?
This directory traversing vulnerability can be misused for a range of things. Here are a few examples:
- Read the visitor logbook and know who visited the customer
- Read the email addresses of employees imported in the kiosk
- See live video footage of the webcam at the top of the kiosk
How are these things possible? This is explained in detail below.
Read the visitor logbook
The visitor logbook is just a file on the machine and could be accessed with entering the following path in the browser:
Read the e-mail addresses of employees
From the kiosk, employees can be notified via email that the visitor arrived at the office. For this to be possible, all email addresses are imported on the kiosk from the Active Directory. This is just a file, located on the kiosk that can be accessed by entering the file path in the browser.
See live footage of the webcam
What can you do to prevent this?
The vendor of the virtual reception kiosk can disable directory traversal over network. The vendor could also protect the webcam livestream with a strong username and password.
However, you can’t always fully rely on the vendor to make everything secure. You can take some protective measures as well. For example, you can segregate your network and put the virtual reception kiosk in a separated segment of your network, with strict segmentation firewall rules (deny-by-default, allow-by-exception).
Are you uncertain about the security of some devices in your network? We can help test these devices and the rest of your network for you!
Interested? Feel free to take contact with us!