SysAid Take Over
In 2022, during one of our security assessments, we identified a critical vulnerability in the SysAid IT management system, which was later officially documented as CVE-2022-22796. This vulnerability was discovered by our team
Discovering and Exploiting CVE-2022-22796
This vulnerability allows a malicious attacker to gain admin privileges on the SysAid system. With these privileges, the attacker can access the “Remote Access” feature to control workstations and servers within the internal network. This means they can execute arbitrary code on these devices from either external or internal networks without any restrictions.
Two years later, we conducted internal infrastructure penetration tests and were astonished to discover that several companies had not updated their systems and remained vulnerable to this exploit. Despite the two-year window to apply necessary patches, these organizations had failed to do so, leaving them exposed. As a result, we were able to exploit the vulnerability and gain Domain Admin privileges within approximately five minutes of initiating the test.
In this blog post, we also decided to provide a perspective from the attacker’s point of view, illustrating how the vulnerability is actually exploited.
First Step is to exploit the vulnerability and gain access as “Admin” to the administration panel.
Second step is to browse to “Assets” -> “Remote Control” and choose one of the servers. In this scenario, we noticed that a ‘Domain Admin’ user was logged into a specific server, so we decided to take control of that server. And finally, we added our user to the ‘Domain Admins’ group, thus gaining Domain Admin privileges.
Proof of Concept – The malicious user has logged into the Domain Controller as a Domain Admin user.
The Impact of CVE-2022-22796
The SysAid vulnerability CVE-2022-22796, represents a significant risk to organizations that have not updated their systems. This flaw enables attackers to bypass security controls and take full control of IT management systems. Once an attacker gains admin privileges, they can navigate the entire network, leveraging remote access capabilities to execute malicious code, compromise sensitive data, and disrupt operations.
Key Risks:
1.Unauthorized Remote Access: Attackers can control workstations and servers, leading to potential data breaches and operational disruptions.
2.Privilege Escalation: The ability to gain Domain Admin privileges allows attackers to manipulate the entire IT infrastructure, posing severe security threats.
3.Network-wide Compromise: With control over the IT management system, attackers can spread malware, conduct espionage, and cause widespread damage across the organization.
The Importance of Timely Updates
The discovery that many companies remain vulnerable to CVE-2022-22796 underscores the critical importance of timely software updates and patch management. Despite the availability of a patch for over two years, the failure to implement these updates has left numerous organizations exposed to significant security risks.
Lessons Learned:
1.Regular Vulnerability Assessments: Organizations must conduct regular vulnerability assessments to identify and address security flaws promptly.
2.Effective Patch Management: Implementing a robust patch management strategy is essential to protect against known vulnerabilities and emerging threats.
3.Proactive Security Measures: Beyond patching, adopting proactive security measures, such as penetration testing and continuous monitoring, can help identify and mitigate risks before they are exploited by attackers.
Conclusion
The case of CVE-2022-22796 serves as a stark reminder of the ongoing challenges in cybersecurity. It highlights the necessity for organizations to stay vigilant, prioritize security updates, and invest in comprehensive security strategies. As threats continue to evolve, maintaining up-to-date systems and adopting proactive security practices are crucial steps in safeguarding against potential attacks.
For those responsible for IT security, this serves as a call to action: review your current systems, ensure all updates are applied, and take a proactive approach to securing your infrastructure. The cost of complacency can be devastating, but with the right measures in place, you can protect your organization from critical vulnerabilities and the ever-present threat of cyber attacks.