CVE-2022-24392
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary system commands on Fidelis Network and Deception CommandPost through command injection in the web interface. Attackers can inject commands via the 'feed' parameter and receive results in HTTP responses. Organizations running affected Fidelis versions prior to 9.4.5 are at risk.
💻 Affected Systems
- Fidelis Network
- Fidelis Deception
📦 What is this software?
Deception by Fidelissecurity
Network by Fidelissecurity
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to lateral movement, data exfiltration, or complete system takeover.
Likely Case
Authenticated attackers gaining command execution capabilities to compromise the CommandPost server, potentially accessing sensitive network data or deploying additional payloads.
If Mitigated
Limited impact due to authentication requirements and network segmentation, with attackers only able to execute commands within web server context on isolated systems.
🎯 Exploit Status
Exploitation requires authenticated access but command injection is straightforward once authenticated. No public exploit code was mentioned in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.5
Vendor Advisory: https://fidelissecurity.zendesk.com/hc/en-us/articles/6211730139411
Restart Required: Yes
Instructions:
1. Download Fidelis version 9.4.5 or later from official sources. 2. Backup current configuration and data. 3. Apply the update following Fidelis upgrade procedures. 4. Restart affected services as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to the Fidelis web interface to only trusted administrative networks and IP addresses.
Configure firewall rules to restrict access to CommandPost web interface ports (typically 443/TCP)
Implement Strong Authentication Controls
allEnforce multi-factor authentication and strong password policies for all administrative accounts.
Enable MFA in Fidelis administration settings
Set minimum password length to 12+ characters with complexity requirements
🧯 If You Can't Patch
- Implement network segmentation to isolate Fidelis systems from critical infrastructure
- Monitor for suspicious command execution patterns and authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Fidelis version via web interface admin panel or command line. Versions below 9.4.5 are vulnerable.Check Version:
Check web interface admin dashboard or consult Fidelis documentation for version check commands specific to your deployment.Verify Fix Applied:
Verify version is 9.4.5 or higher and test that command injection attempts via the 'feed' parameter are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Multiple failed authentication attempts followed by successful login
- HTTP requests containing shell metacharacters in 'feed' parameter
Network Indicators:
- Unusual outbound connections from CommandPost server
- HTTP responses containing command output data
SIEM Query:
source="fidelis_logs" AND (feed_comm_test OR feed=* OR command=*) AND (response_code=200 OR auth_success=true)