Security Advisory – DxWebEngine Directory Traversal

Applies to…

  • DxEnterprise 19.5 for Windows
  • DxOdyssey 19.5 for Windows
  • DxEnterprise 20.0 for Windows
  • DxOdyssey 20.0 for Windows

Security Advisory Description

DxWebEngine, a component of DxEnterprise and DxOdyssey products, has an information disclosure vulnerability via a directory traversal exploit on Windows.

Impact

This vulnerability allows for unauthenticated attackers and authenticated users with network access to the DxWebEngine service to remotely retrieve arbitrary file contents without authorization.

Security Advisory Status

DH2i Product Development has assigned Work Item #2952 to this vulnerability.

To determine if your product version is vulnerable, refer to the following table.

Product Vulnerable versions Vulnerable component
DxEnterprise for Windows 19.5.x *
20.0.218 or earlier
DxWebEngine
DxOdyssey for Windows 19.5.x *
20.0.219 or earlier
DxWebEngine

* v19.5.x is vulnerable only when DxWebEngine has been started manually.

Security Advisory Recommended Actions and Mitigations

DxWebEngine is a non-critical and peripheral service that can be disabled without any impact to current functionality of DxEnterprise or DxOdyssey. If you are running a version listed in the Vulnerable versions column, you can eliminate this vulnerability by stopping and disabling the DxWebEngine component.

  1. Stop DxWebEngine
    net stop dxwebengine
  2. Disable DxWebEngine
    sc config dxwebengine start= disabled

References