CVE-2023-24836
📋 TL;DR
SUNNET CTMS has a path traversal vulnerability in its file upload function that allows authenticated users to upload and execute scripts in arbitrary directories. This enables remote code execution and service disruption. Any system running vulnerable SUNNET CTMS versions is affected.
💻 Affected Systems
- SUNNET CTMS
📦 What is this software?
Ehrd Ctms by Sun.net
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control, data exfiltration, ransomware deployment, or permanent service destruction.
Likely Case
Unauthorized file upload leading to web shell installation, lateral movement within the network, and data theft.
If Mitigated
Limited impact with proper file upload validation, directory restrictions, and least privilege access controls in place.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple path traversal techniques. Weaponization is likely due to the high impact and common exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7033-878ab-1.html
Restart Required: Yes
Instructions:
1. Contact SUNNET vendor for patch details. 2. Apply the security patch provided by SUNNET. 3. Restart the CTMS service. 4. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Restrict File Upload Permissions
allConfigure web server to prevent execution of uploaded files in upload directories
# For Apache: Set 'php_flag engine off' in .htaccess for upload directories
# For Nginx: location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ { deny all; } in upload directories
Implement File Upload Validation
allAdd server-side validation to restrict file types and sanitize file names
# Example PHP validation: if(!in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), ['jpg','png','pdf'])) { die('Invalid file type'); }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CTMS from critical systems
- Apply principle of least privilege to all user accounts and monitor for suspicious upload activities
🔍 How to Verify
Check if Vulnerable:
Test file upload functionality with path traversal payloads (e.g., '../../malicious.php') and check if files can be uploaded outside designated directories.Check Version:
Check CTMS version through admin interface or contact SUNNET vendor for version identification methods.Verify Fix Applied:
Attempt the same path traversal upload tests after patching - they should be blocked with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Files with suspicious extensions (.php, .jsp, .asp) in non-standard directories
- Multiple failed upload attempts with path traversal patterns
Network Indicators:
- Unexpected outbound connections from CTMS server
- Unusual traffic patterns to/from upload endpoints
SIEM Query:
source="ctms_logs" AND (event="file_upload" AND (file_name="*../*" OR file_extension IN ("php","jsp","asp","sh")))