CVE-2022-24390 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2022-24390?

CVE-2022-24390 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers with CLI user-level access to execute arbitrary commands on Fidelis Network and Deception components. It affects CommandPost, Collector, Sensor, and Sandbox components in versions prior to 9.4.5.

📋 TL;DR

This vulnerability allows authenticated attackers with CLI user-level access to execute arbitrary commands on Fidelis Network and Deception components. It affects CommandPost, Collector, Sensor, and Sandbox components in versions prior to 9.4.5.

💻 Affected Systems

Products:

Fidelis Network CommandPost
Fidelis Network Collector
Fidelis Network Sensor
Fidelis Network Sandbox
Fidelis Deception CommandPost
Fidelis Deception Collector
Fidelis Deception Sensor
Fidelis Deception Sandbox

Versions: All versions prior to 9.4.5

Operating Systems: Not specified in advisory

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user-level CLI access to exploit. Affects both Network and Deception product lines.

📦 What is this software?

Deception by Fidelissecurity

View all CVEs affecting Deception →

Network by Fidelissecurity

View all CVEs affecting Network →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data exfiltration, lateral movement to other Fidelis components, and potential network-wide compromise.

🟠

Likely Case

Privilege escalation from user to administrative access, unauthorized command execution, and potential data access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent lateral movement and command execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated CLI access. The vulnerability is in the 'remote_text_file' parameter of rconfig.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4.5

Vendor Advisory: https://fidelissecurity.zendesk.com/hc/en-us/articles/6211730139411

Restart Required: Yes

Instructions:

1. Download patch from Fidelis support portal. 2. Apply patch to all affected components. 3. Restart services/components as required. 4. Verify patch installation.

🔧 Temporary Workarounds

Restrict CLI Access

all

Limit CLI access to only necessary administrative users

Network Segmentation

all

Isolate Fidelis components from other critical systems

🧯 If You Can't Patch

Implement strict access controls to limit CLI access to trusted administrators only.
Monitor for unusual CLI activity and command execution patterns.

🔍 How to Verify

Check if Vulnerable:

Check component version via CLI or web interface. If version is below 9.4.5, system is vulnerable.

Check Version:

fidelis-version or check via web admin interface

Verify Fix Applied:

Verify version is 9.4.5 or higher after patch application. Test 'remote_text_file' parameter functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual CLI command execution patterns
Multiple failed authentication attempts followed by successful CLI access
Execution of unexpected system commands

Network Indicators:

Unusual outbound connections from Fidelis components
Lateral movement attempts to other Fidelis systems

SIEM Query:

source="fidelis_cli" AND (command="*remote_text_file*" OR command="*system*" OR command="*exec*")

📊 Metadata

CVE ID: CVE-2022-24390

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 17, 2022

Last Updated: November 21, 2024

🔗 References

https://fidelissecurity.zendesk.com/hc/en-us/articles/6211730139411 Permissions Required,Vendor Advisory
https://fidelissecurity.zendesk.com/hc/en-us/articles/6211730139411 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24390, you might also want to check these: