CVE-2022-24394
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary system commands on Fidelis Network and Deception CommandPost servers through command injection in the web interface. Attackers can inject commands via the 'filename' parameter when making HTTP requests, potentially gaining full control of affected systems. Organizations running vulnerable versions of Fidelis Network or Deception prior to 9.4.5 are affected.
💻 Affected Systems
- Fidelis Network
- Fidelis Deception
📦 What is this software?
Deception by Fidelissecurity
Network by Fidelissecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the CommandPost server, allowing attackers to execute arbitrary commands with system privileges, steal sensitive data, deploy ransomware, pivot to other network systems, and maintain persistent access.
Likely Case
Attackers with authenticated access (compromised credentials or insider threat) execute commands to exfiltrate network security data, modify security policies, or establish backdoors for future access.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring that detects unusual command execution patterns before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained. The vulnerability is in a core parameter that likely receives user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.5 and later
Vendor Advisory: https://fidelissecurity.zendesk.com/hc/en-us/articles/6211730139411
Restart Required: Yes
Instructions:
1. Download the 9.4.5 or later update from Fidelis support portal. 2. Backup current configuration and data. 3. Apply the update following vendor instructions. 4. Restart the CommandPost service or server as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to the CommandPost web interface to only trusted IP addresses and networks using firewall rules.
Enforce Strong Authentication
allImplement multi-factor authentication and strong password policies to reduce risk of credential compromise.
🧯 If You Can't Patch
- Implement network segmentation to isolate CommandPost servers from critical systems
- Enable detailed logging and monitoring for unusual command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check the CommandPost version via the web interface admin panel or system information. If version is below 9.4.5, the system is vulnerable.Check Version:
Check via web interface: Admin > System Information, or consult vendor documentation for CLI version check.Verify Fix Applied:
After patching, verify the version shows 9.4.5 or higher. Test the 'update_checkfile' functionality to ensure command injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by successful login
- HTTP requests with unusual characters in 'filename' parameter
Network Indicators:
- Unusual outbound connections from CommandPost server
- HTTP responses containing command output that shouldn't be in web responses
SIEM Query:
source="commandpost.log" AND ("update_checkfile" OR "filename=" AND ("|" OR ";" OR "$" OR "`"))