www.belgium.be Logo of the federal government

WARNING: CRITICAL PRE-AUTHENTICATION HEAP OVERFLOW VULNERABILITY IN XLIGHT FTP SERVERS, PATCH IMMEDIATELY!

Referentie: 
Advisory #2024-252
Versie: 
1.0
Geïmpacteerde software: 
Xlight 32 and 64-bit versions <= 3.9.4.2
Type: 
Pre-Authentication heap overflow vulnerability
CVE/CVSS: 

CVE-2024-46483:CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Bronnen

Github - https://github.com/kn32/cve-2024-46483

Risico’s

CVE-2024-46483 is a critical vulnerability affecting Xlight SFTP servers, a popular Windows-based FTP and SFTP solution designed for secure, high-performance file transfer.

The vulnerability allows an unauthenticated attacker with access to Xlight SFTP to achieve code execution or cause a denial of service. This vulnerability significantly impacts all vertices of the CIA triad. A PoC is already available on GitHub. Please update your systems immediately.

Beschrijving

The vulnerability arises from a heap overflow in Xlight’s SFTP protocol implementation. When handling client-sent strings, Xlight fails to validate string length adequately, causing an integer overflow. This enables attackers to send crafted packets that trigger an excessive memory copy operation, overwriting data beyond the allocated buffer.

The impact varies by the Xlight version:

  • 32-bit Versions: Attackers can overwrite critical heap data structures, potentially achieving code execution.
  • 64-bit Versions: Code execution is less likely on 64-bit systems, but the vulnerability can still cause crashes, leading to a denial of service.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

SecurityOnline - https://securityonline.info/cve-2024-46483-cvss-9-8-xlight-ftp-server-fl...