Executive Summary

This vulnerability exists in Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604. It involves an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter.

Remote attackers can exploit this by sending crafted SOAP requests containing UNC paths, which cause the server to initiate outbound SMB connections. This behavior can leak NTLMv2 machine-account hashes.

The leaked authentication credentials may then be used for privilege escalation or lateral movement within the network.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of NTLMv2 machine-account hashes by forcing the server to make outbound SMB connections.

Attackers can use these leaked credentials to escalate privileges or move laterally within your network, potentially gaining access to sensitive systems or data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths, allowing remote attackers to trigger SMB connections and leak NTLMv2 hashes.

To detect this vulnerability on your network or system, you can monitor for unusual outbound SMB connection attempts originating from the affected server, especially those triggered by SOAP requests to TCP port 1208.

You may use network monitoring tools or commands to check for connections on TCP port 1208 and SMB traffic patterns.

• Use netstat or equivalent to check if the service is listening on TCP port 1208: `netstat -an | grep 1208`
• Monitor outbound SMB connections (typically TCP port 445) from the server using network monitoring tools or commands like `tcpdump` or `Wireshark`.
• Inspect logs for SOAP requests to the ReadLicense action with suspicious UNC paths in the LFName parameter.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the WCF SOAP endpoint on TCP port 1208 to trusted users or networks only.

Additionally, monitoring and blocking outbound SMB connections that are not necessary can help prevent leakage of NTLMv2 hashes.

Applying any available patches or updates from Unisys for WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 is recommended once they become available.

• Restrict or firewall TCP port 1208 to prevent unauthorized access.
• Monitor and restrict outbound SMB traffic from the affected server.
• Review and harden authentication and network segmentation to limit lateral movement.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows remote attackers to leak NTLMv2 machine-account hashes by exploiting an unauthenticated WCF SOAP endpoint that accepts unsanitized file paths. Such exposure of authentication credentials can lead to privilege escalation or lateral movement within the network.

The leakage of authentication credentials and potential unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls. However, specific effects on compliance are not detailed in the provided information.

Useful 0 Not Useful 0