Risk Category: Medium Document ID: DGLUX-05-264422
Version: 1.0
Document Status: Final
CVSS v3.1 Score: 6.5
CVSS Vector: cvss:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE ID: CVE-2020-13090
CWE: CWE-23
Description:
The DGLux Server contains a directory traversal vulnerability within the REST API component. The vulnerability impacts DGLux Server builds 1494 and prior. The vulnerability can be exploited by an authenticated, remote attacker with sufficient privileges to access the file upload, move, and copy features of the impacted component. Authentication to the impacted component could be done either via the Web Interface or via the REST API. Unauthenticated, and default user-level privileges are insufficient to exploit the issue.
DGLux Server, also known as DSA Server, is one of the many backends that an administrator may provision to support the DGLux5 web application. This issue only impacts installations configured to utilize the DGLux Server; no other configurations are impacted.
The extended impact of the vulnerability depends on the particular installation that was performed by the end-user or integrator. Best practices and installation documentation advise installing DGLux Server under a limited-service account. However, there are no technical controls to prevent the product from being installed under a privileged account such as root. An attacker who successfully exploits the vulnerability could upload, and then move or copy an arbitrary file to any location that the DGLux Server account can access. If this is a privileged account, the attacker may be able to write to any arbitrary directory on the system.
DGLux Server provides the options to perform up and downstream configuration management to similar DGLux Server instances. The vulnerable REST API methods are limited to impacting the local file system of an impacted server and do not impact associated server instances.
Impacted Versions:
DGLux Server / DSA Server versions Build 1494 and prior
Installations of DGlux5 that utilize an alternate server component are unaffected.
Resolution:
The vulnerability was resolved in version 1506 and later of DGLux Server.
Fixed Software:
Administrators may download updated software from one of the following locations.
Administrators may also update current installations by performing the following steps:
1. Open DGLux5 UI.
2. Switch to Data tab.
3. Right-click on the sys node -> Update -> Server From Repository -> Invoke.
4. Restart server using right-click on the sys node -> Restart Server.
Attribution:
Acuity Brands would like to thank Kyle Winkel from NTT Security's Threat Services Team for reporting this vulnerability.
History:
8/12/2020 – Initial Release
LEGAL DISCLAIMER:
THIS CONTENT IS PROVIDED ON AN "AS IS" BASIS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED WITHOUT ANY WARRANTY OF ANY KIND. THE CONTENT IS INTENDED FOR USERS OF ACUITY BRANDS PRODUCTS WHO POSSESS THE PROFESSIONAL SKILLS AND JUDGMENT NECESSARY TO INTERPRET THE INFORMATION AND DETERMINE THE APPROPRIATE STEPS TO TAKE. USE OF THE INFORMATION IS AT THE USER’S OWN RISK. THE AUTHOR RESERVES THE RIGHT TO UPDATE OR DELETE THIS CONTENT AT ANY TIME.
