CVE-2020-17383

Vulnerability

Telos Z/IP One IP Broadcast Codec devices through firmware version 4.0.0r contain a directory traversal vulnerability in the SOhttpServer component. The Quick Start and User Manual links on the web interface serve files from a document directory without proper path validation, allowing an unauthenticated attacker to read arbitrary files on the device's file system. The server runs with root privileges, so any file readable by root can be accessed [1].

Exploitation

An unauthenticated attacker with network access to the device's web interface can exploit the path traversal by crafting a URL that includes ../ sequences to escape the document root. The attack requires no authentication or user interaction; a simple HTTP request to the vulnerable endpoint is sufficient [1].

Impact

Successful exploitation grants root-level read access to the entire file system. The attacker can retrieve configuration settings, password hashes for built-in accounts (from /etc/shadow), and crucially, the cleartext password for the WebUI remote configuration. This can lead to full administrative compromise of the device and potential pivoting within the broadcast network [1].

Mitigation

The vendor (Telos Alliance) released a patched firmware version in October 2021 that corrects the traversal issue [1]. Users should upgrade to the latest firmware version immediately. No workarounds are available. Devices exposed to the internet (as discovered via Shodan) are especially at risk and should be updated or isolated [1].