Executive Summary

CVE-2020-36904 is a critical remote code execution vulnerability in Selea CarPlateServer versions up to 4.0.1.6. It allows attackers to bypass authentication on the /cps/ endpoint and manipulate the NO_LIST_EXE_PATH configuration parameter to execute arbitrary Windows binaries on the server. This means an attacker can run any program they choose remotely, including changing admin passwords and executing system commands, without needing any privileges or user interaction. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of the affected system. Attackers can execute arbitrary code remotely, bypass authentication, modify server configurations, change administrator and user passwords, and potentially cause denial of service (DoS). This puts the system's security and integrity at significant risk, allowing unauthorized access and control over the traffic control and road safety system. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Selea CarPlateServer software version 3.005 through 4.0.1.6 is running on your system. You can monitor network traffic for unauthorized POST requests to the /cps/ endpoint, especially those targeting /config_request?ACTION=WRITE with JSON payloads attempting to set the NO_LIST_EXE_PATH parameter. A practical detection method includes capturing HTTP requests to the /cps/ endpoint and looking for attempts to modify configuration parameters without authentication. For example, using curl or similar tools to test access: curl -X POST http://<server-ip>/cps/config_request?ACTION=WRITE -d '{"NO_LIST_EXE_PATH":"C:/windows/system32/calc.exe"}' -H "Content-Type: application/json" to see if the server accepts such requests without authentication. Additionally, network intrusion detection systems (NIDS) can be configured to alert on such suspicious POST requests to the /cps/ endpoint. [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict network access to the /cps/ endpoint to trusted IP addresses only, preventing unauthorized access from external or untrusted sources. 2) Apply any available patches or updates from Selea that address this vulnerability, as newer firmware and software versions have fixed most issues. 3) If patches are not immediately available, disable or block access to the vulnerable configuration endpoint (/cps/) to prevent exploitation. 4) Monitor logs for suspicious activity related to configuration changes or unauthorized POST requests. 5) Change all administrator and user passwords to prevent unauthorized access if compromise is suspected. 6) Consider implementing network-level protections such as firewalls or web application firewalls (WAF) to block malicious requests targeting this vulnerability. [2, 3]

Useful 0 Not Useful 0