CVE-2024-10081
📋 TL;DR
CVE-2024-10081 is an authentication bypass vulnerability in CodeChecker that allows attackers to gain superuser access to all API endpoints except the authentication endpoint. This affects all CodeChecker deployments through version 6.24.1, enabling unauthorized users to add, edit, and remove products and perform other privileged operations.
💻 Affected Systems
- CodeChecker
📦 What is this software?
Codechecker by Ericsson
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the CodeChecker instance allowing attackers to modify or delete all analysis data, products, and configurations, potentially disrupting CI/CD pipelines and development workflows.
Likely Case
Unauthorized access to sensitive code analysis data, modification of product configurations, and potential injection of malicious analysis results into development pipelines.
If Mitigated
Limited impact if CodeChecker is deployed in isolated networks with strict access controls, though the authentication bypass remains exploitable by authorized users.
🎯 Exploit Status
The vulnerability is simple to exploit by appending '/Authentication' to API URLs, requiring minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.24.2 and later
Vendor Advisory: https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q
Restart Required: Yes
Instructions:
1. Update CodeChecker to version 6.24.2 or later using your package manager or from source. 2. Restart all CodeChecker services. 3. Verify the fix by testing API endpoints.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to CodeChecker instances using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [CODE_CHECKER_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [CODE_CHECKER_PORT] -j DROP
Reverse Proxy Authentication
allPlace CodeChecker behind a reverse proxy with authentication (e.g., nginx with basic auth) to add an additional authentication layer.
🧯 If You Can't Patch
- Immediately restrict network access to CodeChecker instances to only trusted IP addresses/networks.
- Monitor API access logs for suspicious patterns and implement rate limiting on API endpoints.
🔍 How to Verify
Check if Vulnerable:
Test if accessing any API endpoint with '/Authentication' appended bypasses authentication. Example: curl -X GET http://codechecker-host:8001/api/v1/products/AuthenticationCheck Version:
codechecker-server --versionVerify Fix Applied:
After patching, verify that the same test returns proper authentication errors instead of granting access.📡 Detection & Monitoring
Log Indicators:
- API requests with '/Authentication' in the URL path
- Unauthorized access to privileged endpoints from unexpected IPs
- Multiple failed authentication attempts followed by successful API calls
Network Indicators:
- Unusual API traffic patterns, especially to administrative endpoints
- Requests containing '/Authentication' in URL paths
SIEM Query:
source="codechecker" AND (url="*Authentication" OR status=200 AND (path="*/api/v1/products" OR path="*/api/v1/config"))