www.belgium.be Logo of the federal government

WARNING: ACTIVELY EXPLOITED REMOTE CODE EXECUTION VULNERABILITY IN HTTP FILE SERVER.

Référence: 
Advisory #2024-103
Version: 
1.0
Logiciels concernés : 
Rejetto HTTP File Server, version 2.4.O RC7 and 2.3m
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-23692 :CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-23692

Risques

CVE-2024-23692 is a remote execution vulnerability affecting HTTP File Server (HFS). Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute arbitrary commands on affected HFS servers, leading to a range of malicious activities.

Security researchers of AhnLab Security Intelligence Center (ASEC) have issued a critical warning for all users of HFS, that CVE-2024-23692 has been exploited by malicious actors to deploy Remote Access Trojans (RATs) like GhOstRAT, PlugX and XenoRAT for persistence over affected systems.

Exploitation of this vulnerability has a high impact on confidentiality, Integrity and availability.

A proof-of-concept (PoC) for CVE-2024-23692 was released to demonstrated how a threat actor could exploit this vulnerability.

Description

The CVE-2024-23692 is critical remote code execution vulnerability (CVSS score 9.8) affecting Rejetto HTTP File sever versions 2.4.O and 2.3m. This vulnerability could allow a remote attacker to execute arbitrary codes on affected systems by sending a specially crafted request. Rejetto HFS 2.3m is no longer supported, users need to upgrade to version 3.x which does not suffer from the vulnerability.

AhnLab Security Intelligence Center (ASEC) has observed a variety of cyber attacks targeting HFS servers to:

  • deploy RATs such as GhOstRAT, PlugX and XenoRAT for persistence over compromised systems
  • Infiltrate GoThief malware, which exfiltrates sensitive data via Amazon AWS.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

There is no patch available for HFS version 2.x, since it is no longer supported by its maintainers. However, users are strongly advised to upgrade to version 3.x of Rejetto HFS, which is not affected by this vulnerability.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

Asec.ahnlab - https://asec.ahnlab.com/en/67650/

SecurityOnline - https://securityonline.info/cve-2024-23692-unauthenticated-rce-flaw-in-r...