Hello and welcome to the Friday, January 19th, 2020, edition of the Sanchez and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

I've got yet another update about the Eventi-Connect secure vulnerabilities.

We now have a blog post by Rapid 7 that goes into quite a bit of details of the product,

what the exact nature of the vulnerability is and how to exploit it.

With this, we have fairly straightforward to execute exploits available for everybody willing to give

them a try.

And we certainly do start seeing some specific scans that match the pattern suggested by Rapid

7.

The root cause of the problem is a directory traversal vulnerability.

That part is trivial to exploit, essentially only the first part of the problem is a directory traversal vulnerability. That part is trivial to exploit.

Essentially only the first part of the path is actually being used for access control.

You have to find a path that you have access to. There are a couple that do not require any

kind of access control. And that way you're able to then send you just append the path

that you actually would like to execute.

If you find one that allows code execution, well, then you have your full remote code execution

exploit, and that's what Rapid 7 explains in its blog post.

Now, there's a good news side to the story.

Rapid 7 confirmed that the XML configuration update that Yvante published does prevent the

directory traversal exploit, so that should help you out.

Of course, the denser of remote code execution and such would still work, but you would

need to authenticate to actually execute that. The final patch should become available starting

...