Leadsec SSL VPN Path Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A path traversal vulnerability has been identified in Leadsec SSL VPN, previously known as Lenovo NetGuard. This vulnerability allows unauthenticated attackers to read arbitrary files from the underlying system. The issue arises in the /vpn/user/download/client endpoint, where the ostype parameter is vulnerable to traversal sequences that escape the intended directory, facilitated by inadequate input sanitation.
Impact
Exploitation of this vulnerability leads to unauthorized access and reading of sensitive files on the system.
Reproduction
The vulnerability can be reproduced by sending a GET request to the /vpn/user/download/client endpoint with a crafted ostype parameter that includes traversal sequences. This request should be made without authentication, as the vulnerability allows unauthenticated access.
Remediation
Users are advised to update to the latest version of Leadsec SSL VPN, for which a patch is available. Instructions for downloading the patched version can be found on the Leadsec website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.