CVE-2023-27792

Vulnerability

An issue found in IXP Data Easy Install v.6.6.14884.0 allows privilege escalation due to a lack of proper permissions applied to subdirectories. The vulnerability affects the insecure local filesystem ACLs (CVE‑2023‑27792) as described in the reference [1]. The misconfiguration permits unauthorized access to sensitive directories by users with limited privileges.

Exploitation

An attacker with low-privileged access to the system can navigate the file system and access subdirectories that have not had their ACLs correctly restricted. No additional authentication or user interaction is required beyond local access. The exploit involves enumerating directories and files that should have been locked down but are readable or writable due to the misconfigured permissions.

Impact

Successful exploitation allows an attacker to escalate their privileges on the local system. Depending on the contents of the improperly secured directories, this could lead to disclosure of sensitive configuration data or overwriting files, potentially leading to full compromise of the application’s security controls.

Mitigation

As of the reference publication [1], IXP Data has not released a public fix for CVE‑2023‑27792. The advisory recommends that administrators review and manually correct the filesystem ACLs on subdirectories of the Easy Install installation, ensuring that only authorized users have appropriate permissions. If a patched version becomes available, it should be applied promptly.