www.belgium.be Logo of the federal government

WARNING: AUTH VULNERABILITY IN PROJECTSEND (CVE-2024-11680) ACTIVELY EXPLOITED, PATCH IMMEDIATELY!

Referentie: 
Advisory #2024-277
Versie: 
1.0
Geïmpacteerde software: 
ProjectSend
Type: 
Improper Authorization
CVE/CVSS: 

CVE-2024-11680 / CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Bronnen

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11680

Risico’s

The ProjectSend vulnerability (CVE-2024-11680) poses a significant risk to organizations utilizing this open-source file-sharing web application.

A patch has been made available for quite some time but lots of instances are not updated and therefore vulnerable to exploitation. Public exploits have been available for months, which means attackers have had ample opportunity to develop and deploy attacks.

The vulnerability allows attackers to modify the configuration file and potentially enable user registration to gain further access, leading to unauthorized data access and the possibility of webshell installation. This could result in a full compromise and thus severe system downtime, data breaches, and significant disruption to daily operations. Immediate action is required to update the software and mitigate these risks.

Beschrijving

CVE-2024-11680: ProjectSend (Actively Exploited)

ProjectSend versions prior to r1720 are affected by an authentication vulnerability.

Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to the options.php endpoint. This enables the attacker to modify the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

 

Aanbevolen acties

Patch
The Centre for Cybersecurity Belgium strongly recommends installing the latest patched version (r1750)  for vulnerable instances with the highest priority.

Monitor/Detect
According to an article by VulnCheck, indicators of compromise include changing the HTML title to long random strings and enabling the user registration setting.

They also explain how you should review server access logs for direct access to the upload/files/ directory, as this could indicate potential webshell installations.

Keep in mind that even without these indicators you can be vulnerable and potentially compromised.
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

 

Referenties

VulnCheck: https://vulncheck.com/blog/projectsend-exploited-itw
Bleeping Computer: https://www.bleepingcomputer.com/news/security/hackers-exploit-projectsend-flaw-to-backdoor-exposed-servers/
Github: https://github.com/projectsend/projectsend