□ Overview
o HANSSAK Co.,Ltd released security update to address authentication bypass, SQL-Injection and path traversal vulnerability in SecureGate.
□ Description
o This vulnerability of SecureGate is SQL-Injection using login without password. A path traversal vulnerability is also identified during file transfer.
o An attacker can take advantage of these vulnerabilities to perform various attacks such as obtaining privileges and executing remote code, thereby taking over the victim’s system.
□ Affected Product
□ Solution
o Update software over WebLink 3.5.6 version or higher.
□ Reference
[1] http://hanssak.co.kr/solution/securegate.html
□ Acknowledgements
o Thanks to Jongho Lee for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀
o HANSSAK Co.,Ltd released security update to address authentication bypass, SQL-Injection and path traversal vulnerability in SecureGate.
| Vulnerability Type | Impact | Severity | CVSS Score | CVE ID |
|---|---|---|---|---|
| authentication bypass, SQL-Injection,Path traversal |
remote code execution, privilege extortion and etc. |
High | 8.8 | CVE-2022-23767 |
□ Description
o This vulnerability of SecureGate is SQL-Injection using login without password. A path traversal vulnerability is also identified during file transfer.
o An attacker can take advantage of these vulnerabilities to perform various attacks such as obtaining privileges and executing remote code, thereby taking over the victim’s system.
□ Affected Product
| Product | Version | Platform |
|---|---|---|
| SecureGate | 3.5 | Windows |
| WebLink | 3.5.2 ~ 3.5.5 |
□ Solution
o Update software over WebLink 3.5.6 version or higher.
□ Reference
[1] http://hanssak.co.kr/solution/securegate.html
□ Acknowledgements
o Thanks to Jongho Lee for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀