CVE-2017-14853

Vulnerability

Code injection vulnerability (CWE-77) exists in the Orpak SiteOmat OrCU component in all versions prior to 2017-09-25. The bug is triggered by a search query that passes unsanitized user input directly to a shell command without proper neutralization. Affected products: SiteOmat versions prior to 6.4.414.122 [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network without authentication [1]. By tampering with the request parameters, the attacker injects arbitrary shell commands into the search query, which then execute on the underlying operating system. The resulting command output is returned in the application response. The low skill level required for exploitation and the fact that public exploits are available make this easily accessible [1].

Impact

Successful exploitation allows an attacker to execute arbitrary shell commands on the device with the privileges of the application process. This leads to arbitrary remote code execution, which could result in denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information. The overall impact on confidentiality, integrity, and availability is high [1].

Mitigation

The vendor, Orpak (acquired by Gilbarco Veeder-Root), released a fix in SiteOmat version 6.4.414.122 [1]. Users should upgrade to this version or later. As of the advisory date (2019-06-03), no workaround was provided; timely patching is recommended. This CVE is not listed on the CISA KEV catalog [1].