Triangle MicroWorks SCADA Data Gateway Directory Traversal Arbitrary File Creation Vulnerability

The Directory Traversal vulnerability in Triangle MicroWorks SCADA Data Gateway allows an attacker to bypass intended file system restrictions. By crafting malicious requests, an attacker can specify arbitrary file paths, enabling them to create files in unexpected locations. This could lead to the execution of malicious code, data exfiltration, or denial of service. The ability to create arbitrary files within the SCADA system poses a significant risk, as it could allow an attacker to gain persistent access or disrupt critical industrial control processes. Successful exploitation requires user interaction, typically through visiting a malicious page or opening a malicious file.

Organizations utilizing Triangle MicroWorks SCADA Data Gateway in industrial control systems are at risk. This includes critical infrastructure sectors such as energy, water treatment, and manufacturing. Specifically, deployments with limited network segmentation and inadequate file system monitoring are particularly vulnerable. Shared hosting environments where multiple SCADA systems reside on the same infrastructure also increase the potential impact.

• linux / server: Monitor system logs (journalctl) for unusual file creation events, particularly in sensitive directories. Look for patterns indicative of directory traversal attempts.

journalctl -f | grep -i 'create file' -i 'directory traversal'

• generic web: Use curl to test for directory traversal by appending path traversal sequences (e.g., ../../../../) to the vulnerable endpoint. Analyze response headers and content for signs of unauthorized file access.

curl 'http://<scada_gateway_ip>/workspace/../../../../etc/passwd' -s

• windows / supply-chain: Monitor PowerShell execution logs for suspicious commands involving file creation or modification within the SCADA Data Gateway's installation directory.

Get-WinEvent -LogName Security -FilterXPath '//Event[System[EventID=4688] and EventData[Data[@Name='ProcessName']='powershell.exe'] and EventData[Data[@Name='CommandLine'] like '%create file%']]'

1. 2024-05-03Disclosure

   disclosure

1. Reserviert2023-08-02
2. Veröffentlicht2024-05-03
3. Geändert2024-08-02
4. EPSS aktualisiert2026-04-02

While a patch is pending, several mitigation steps can reduce the risk associated with CVE-2023-39459. First, restrict network access to the SCADA Data Gateway to only authorized personnel and systems. Implement strict firewall rules to limit inbound connections. Second, carefully validate all workspace file paths before use. Implement input validation routines to prevent attackers from manipulating file paths. Consider using a Web Application Firewall (WAF) to filter malicious requests. Regularly review and audit system logs for suspicious activity. After applying these mitigations, verify the effectiveness by attempting to access restricted files using crafted requests.