WARNING: ACTIVELY EXPLOITED REMOTE CODE EXECUTION VULNERABILITY IN HTTP FILE SERVER.
CVE-2024-23692 :CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-23692
Risks
CVE-2024-23692 is a remote execution vulnerability affecting HTTP File Server (HFS). Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute arbitrary commands on affected HFS servers, leading to a range of malicious activities.
Security researchers of AhnLab Security Intelligence Center (ASEC) have issued a critical warning for all users of HFS, that CVE-2024-23692 has been exploited by malicious actors to deploy Remote Access Trojans (RATs) like GhOstRAT, PlugX and XenoRAT for persistence over affected systems.
Exploitation of this vulnerability has a high impact on confidentiality, Integrity and availability.
A proof-of-concept (PoC) for CVE-2024-23692 was released to demonstrated how a threat actor could exploit this vulnerability.
Description
The CVE-2024-23692 is critical remote code execution vulnerability (CVSS score 9.8) affecting Rejetto HTTP File sever versions 2.4.O and 2.3m. This vulnerability could allow a remote attacker to execute arbitrary codes on affected systems by sending a specially crafted request. Rejetto HFS 2.3m is no longer supported, users need to upgrade to version 3.x which does not suffer from the vulnerability.
AhnLab Security Intelligence Center (ASEC) has observed a variety of cyber attacks targeting HFS servers to:
- deploy RATs such as GhOstRAT, PlugX and XenoRAT for persistence over compromised systems
- Infiltrate GoThief malware, which exfiltrates sensitive data via Amazon AWS.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
There is no patch available for HFS version 2.x, since it is no longer supported by its maintainers. However, users are strongly advised to upgrade to version 3.x of Rejetto HFS, which is not affected by this vulnerability.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Asec.ahnlab - https://asec.ahnlab.com/en/67650/
SecurityOnline - https://securityonline.info/cve-2024-23692-unauthenticated-rce-flaw-in-r...