CVE-2018-16170

Vulnerability

Cybozu Remote Service versions 3.0.0 to 3.1.8 for Windows contain a directory traversal vulnerability (CWE-22) in the used device management screen [1][2]. An authenticated attacker can read any file on the server by exploiting this flaw via unspecified vectors [1]. Note that this vulnerability is confirmed only for Windows installations [1].

Exploitation

An attacker must have valid authentication credentials (low privileges) to the Cybozu Remote Service web management interface [1]. The attack vector is network-based, requires no user interaction, and the attack complexity is low [1]. The specific steps are not publicly detailed by the vendor to avoid aiding exploitation, but the vulnerability lies in the device management screen, where a crafted request can traverse directories [1][2].

Impact

Successful exploitation allows an authenticated remote attacker to delete arbitrary files on the server, affecting integrity and availability [1][2]. The CVSS v3 base score is 9.6 (Critical), with the scope changed meaning the impact can extend beyond the vulnerable component [1][2]. Confidentiality is not affected, but integrity and availability are rated high [1][2].

Mitigation

The vendor Cybozu has addressed this vulnerability in version 3.1.9 of Cybozu Remote Service, released on 2018-11-26 [2]. Users should update to version 3.1.9 or later. No workarounds are mentioned in the available references [1][2]. Cybozu Remote Service is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.