The exploit targets a vulnerability discovered in 2007 that could be used to execute tool command language (TCL) commands, which would allow a hacker to use SiteScape as a “staging area” for attacks on the organization’s internal network, Tom Eston, senior consultant at SecureState, told Infosecurity.
SecureState was able to take a previously unvalidated vulnerability and prove that it is exploitable. However, the vulnerability remains in candidate status, and no exploit code has been released, the company said.
“What we were able to do was inject our own TCL code, which resulted in the server running the code within the context of SiteScape applications. The code we injected essentially connected back to the attacker…which allowed the attacker to run commands on the operating system”, Spencer McIntyre, the SecureState staff security consultant who discovered the exploit, told Infosecurity.
This vulnerability meets most of the criteria to be a high-risk vulnerability because it is remotely exploitable and unauthenticated, and provides command execution, SecureState said.
Using public search engines, SecureState conducted a survey of servers running SiteScape and found that close to 54% of them were vulnerable to the TCL code injection attack.
Attackers who use this exploit would be able to run commands on the server to gain access to the organization’s network. “Oftentimes, when attackers exploit these vulnerabilities, the servers are in a DMZ-type environment, so they use that as a pivot point to attack systems on the internal network if they can get in. A lot of times, it is used as a staging area”, Eston explained.
As a result, hackers could gain network access to steal proprietary information or sabotage systems, depending on how SecureState is used by the organization.
To counter the threat, organizations need to upgrade their SiteScape Enterprise Forum from earlier versions to version 8, which plugs this vulnerability, explained McIntyre.