CVE-2022-24796 – CVE-2022-24796 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2022-24796?

CVE-2022-24796 has a CVSS score of 10.0 (CRITICAL). CVE-2022-24796 is a critical remote code execution vulnerability in RaspberryMatic's WebUI file upload feature. Unauthenticated attackers with network access can execute arbitrary commands as root via shell metacharacter injection in HTTP queries, leading to complete system compromise. All RaspberryMatic installations with versions after 2.31.25.20180428 and before 3.63.8.20220330 are affected.

📋 TL;DR

CVE-2022-24796 is a critical remote code execution vulnerability in RaspberryMatic's WebUI file upload feature. Unauthenticated attackers with network access can execute arbitrary commands as root via shell metacharacter injection in HTTP queries, leading to complete system compromise. All RaspberryMatic installations with versions after 2.31.25.20180428 and before 3.63.8.20220330 are affected.

💻 Affected Systems

Products:

RaspberryMatic

Versions: Versions after 2.31.25.20180428 and prior to 3.63.8.20220330

Operating Systems: RaspberryMatic OS (Linux-based)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with WebUI enabled are vulnerable. The WebUI is typically enabled by default for administration.

📦 What is this software?

Raspberrymatic by Raspberrymatic

View all CVEs affecting Raspberrymatic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing attackers to install malware, steal data, pivot to other systems, or render the smart-home system inoperable.

🟠

Likely Case

Remote attackers gaining full control of the RaspberryMatic system, accessing smart-home devices, and potentially compromising the entire home network.

🟢

If Mitigated

No impact if system is properly patched or isolated from untrusted networks.

🌐 Internet-Facing: HIGH - WebUI interface is typically exposed to local networks, and if exposed to the internet, provides direct unauthenticated RCE.

🏢 Internal Only: HIGH - Even on internal networks, any compromised device or malicious insider can exploit this vulnerability without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to the WebUI port (typically 80/443) and sending crafted HTTP requests with shell metacharacters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.63.8.20220330 or newer

Vendor Advisory: https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download latest RaspberryMatic version from official repository. 3. Perform system update via WebUI or manual installation. 4. Reboot system. 5. Verify version is 3.63.8.20220330 or newer.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to RaspberryMatic WebUI interface to trusted hosts only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable WebUI interface completely if not needed for operations.
Place RaspberryMatic system on isolated VLAN with no internet or untrusted network access.

🔍 How to Verify

Check if Vulnerable:

Check current RaspberryMatic version via WebUI dashboard or SSH connection. If version is between 2.31.25.20180428 and 3.63.8.20220330 (exclusive), system is vulnerable.

Check Version:

cat /VERSION or check WebUI dashboard

Verify Fix Applied:

Confirm version is 3.63.8.20220330 or newer. Test file upload functionality with safe test files to ensure proper input validation.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload attempts in WebUI logs
Shell command execution patterns in system logs
Multiple failed or unusual HTTP requests to upload endpoints

Network Indicators:

HTTP POST requests to upload endpoints containing shell metacharacters
Unusual outbound connections from RaspberryMatic system

SIEM Query:

source="raspberrymatic" AND (url="*upload*" AND (request="*;*" OR request="*|*" OR request="*`*" OR request="*$(*"))

📊 Metadata

CVE ID: CVE-2022-24796

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96978c6450a53 Patch,Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7 Patch,Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96978c6450a53 Patch,Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24796, you might also want to check these: