Titan File Transfer Server Flaws

Multiple vulnerabilities have been discovered in Titan MFT and Titan SFTP servers owned by South River Technologies, which were associated with Information Disclosure, Session Fixation, and Remote code execution. However, these vulnerabilities have been fixed by South River Technologies.

Titan MFT and Titan SFTP are Managed File Transfer (MFT) servers with Secure File Transfer (SFTP), providing scalability, high availability, failover, and clustering. Moreover, Titan MFT also includes load-balancing support, multi-server clustering and fail-over, and increased file transfer speeds with top-line data compression.

CVE-2023-45685: Remote Code Execution via “zip slip”

A threat actor can exploit this vulnerability by uploading a ZIP file containing a filename such as ../../file that gets extracted outside the user’s home directory due to the automated extraction of ZIP files in the Titan MFT and Titan SFTP. The severity of this vulnerability is still being analyzed. 

Successful exploitation of this vulnerability can lead to overwriting /root/.ssh/authorized_keys with the threat actor’s SSH key, which can be used to gain an interactive session and many other issues like new cron jobs, profile modification, and much more.

CVE-2023-45686: Remote Code Execution via WebDAV Path Traversal

This vulnerability can be exploited by an authenticated threat actor, which could allow the writing of arbitrary files anywhere on the system by adding a ../ character to the WebDAV URL. This is due to the lack of validation of the path specified in the WebDAV handler. The severity of this vulnerability is still being analyzed.

There is an additional prerequisite for this vulnerability, which includes enabling WebDAV by the administrator. This vulnerability only affects the Linux version of Titan MFT.

CVE-2023-45687: Session Fixation on Remote Administration Server

A threat actor can exploit this vulnerability if the threat actor is aware of the SRTSession header value that is used when an administrator authenticates to the remote administration server’s API using an Authorization header. The severity of this vulnerability is also still being analyzed.

If the threat actor can steal a session token, the threat actor can Create a new user with an arbitrary home folder, log in to file-upload services, upload authorized_keys, and much more.

CVE-2023-45688: Information Disclosure via Path Traversal on FTP

This vulnerability arises due to improper sanitization of path traversal in the SIZE command on FTP, which is used to get the size of any file on the file system. However, to exploit this vulnerability, the threat actor must be authenticated with an account that can log in via the FTP protocol. The severity of this vulnerability is still being analyzed.

CVE-2023-45689: Information Disclosure via Path Traversal in Admin Interface

This vulnerability arises as the administrator uses the MxUtilFileAction model to retrieve and delete files from anywhere on the file system by using the ../ commands in their path. This is a minor issue as administrators already have complete access and full control over the system.

CVE-2023-45690: Information Leak via World-Readable Database + Logs

This vulnerability exists since password hashes appear in world-readable files, including databases and log files, which can be extracted by users with low privileges and elevate their privileges with a root account. However, as a prerequisite, the threat actor must have shell access to the system to exploit this vulnerability. 

A complete report has been published by Rapid7, which provides full detailed information, source code, exploitation methods, msf console exploit codes, and much more.

Users of Titan MFT and Titan SFTP are recommended to upgrade to the latest version to prevent these vulnerabilities from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.