CVE-2020-37041
📋 TL;DR
CVE-2020-37041 is a directory traversal vulnerability in OpenCTI 3.3.1 that allows unauthenticated attackers to read arbitrary files from the server filesystem. Attackers can exploit this by sending crafted GET requests with path traversal sequences to the /static/css endpoint. All OpenCTI 3.3.1 deployments are affected regardless of authentication configuration.
💻 Affected Systems
- OpenCTI
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via reading sensitive files like SSH keys, database credentials, configuration files, and system files, potentially leading to lateral movement and data exfiltration.
Likely Case
Information disclosure of sensitive files including configuration files, user data, and system files, enabling further attacks and reconnaissance.
If Mitigated
Limited impact if proper network segmentation, file permissions, and web application firewalls are in place to block traversal attempts.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 48595). Attack requires only web browser or curl commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2 and later
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/releases
Restart Required: Yes
Instructions:
1. Backup your OpenCTI configuration and data. 2. Stop the OpenCTI service. 3. Update to OpenCTI 3.3.2 or later using your package manager or from GitHub releases. 4. Restart the OpenCTI service. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing path traversal sequences in URLs
Add WAF rule to block requests containing '../' or similar traversal patterns
Nginx/Apache Rewrite Rule
linuxPrevent access to the vulnerable endpoint with rewrite rules
# Nginx: location ~* ^/static/css/.*\.\./ { deny all; }
# Apache: RewriteRule ^/static/css/.*\.\./ - [F]
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the OpenCTI instance
- Deploy a web application firewall (WAF) with rules to block path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Test with curl: curl -v 'http://opencti-server/static/css//../../../../../../../../etc/passwd' - if it returns /etc/passwd content, system is vulnerable.Check Version:
Check OpenCTI version in web interface or via API, or check package version: dpkg -l | grep opencti (Debian/Ubuntu) or rpm -qa | grep opencti (RHEL/CentOS)Verify Fix Applied:
After patching, repeat the vulnerable test - it should return 404 or error instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /static/css/ with '../' sequences
- 404 errors for non-existent static files with traversal patterns
- Access to sensitive file paths from web logs
Network Indicators:
- Unusual GET requests with multiple '../' sequences
- Traffic to /static/css/ endpoint from unexpected sources
SIEM Query:
source="web_access.log" AND (uri="/static/css/*" AND uri="*../*")