CVE-2024-10379 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-10379?

CVE-2024-10379 has a CVSS score of 4.3 (MEDIUM). This CVE describes a path traversal vulnerability in ESAFENET CDG 5 that allows attackers to read arbitrary files on the server by manipulating the decryptFileId parameter. The vulnerability affects systems running ESAFENET CDG 5 with the vulnerable DecryptApplicationService component exposed. Attackers can exploit this remotely without authentication to access sensitive system files.

📋 TL;DR

This CVE describes a path traversal vulnerability in ESAFENET CDG 5 that allows attackers to read arbitrary files on the server by manipulating the decryptFileId parameter. The vulnerability affects systems running ESAFENET CDG 5 with the vulnerable DecryptApplicationService component exposed. Attackers can exploit this remotely without authentication to access sensitive system files.

💻 Affected Systems

Products:

ESAFENET CDG

Versions: Version 5 (specific patch levels unknown)

Operating Systems: Windows, Linux - any OS running the vulnerable Java application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the DecryptApplicationService component which appears to be part of the standard installation. The function name contains a typo (missing 'R' in 'actionViewDecyptFile').

📦 What is this software?

Cdg by Esafenet

View all CVEs affecting Cdg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read critical system files like /etc/passwd, /etc/shadow, Windows SAM files, or configuration files containing credentials, potentially leading to full system compromise.

🟠

Likely Case

Attackers will read sensitive configuration files, application data, or system files to gather information for further attacks or data exfiltration.

🟢

If Mitigated

With proper file permissions and network segmentation, impact is limited to files accessible by the application service account.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed showing how to use path traversal sequences like ../../../ to access arbitrary files. The vulnerability is simple to exploit with basic HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

1. Contact ESAFENET for official patch or guidance. 2. If no patch available, implement workarounds. 3. Monitor vendor communications for updates. 4. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject path traversal sequences in the decryptFileId parameter

Add validation in DecryptApplicationService.java to check for '../' sequences and reject malicious input

Web Application Firewall Rule

all

Block requests containing path traversal patterns in the URL parameters

WAF rule to block: *../* in request parameters
ModSecurity rule: SecRule ARGS "@contains ../" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Implement network segmentation to restrict access to the vulnerable service only to trusted networks
Apply strict file system permissions to limit what files the application service account can read

🔍 How to Verify

Check if Vulnerable:

Send HTTP request to DecryptApplicationService endpoint with parameter decryptFileId=../../../etc/passwd and check if file contents are returned

Check Version:

Check application version through admin interface or configuration files. Exact command depends on deployment method.

Verify Fix Applied:

Test with same path traversal payloads and verify requests are rejected or return error instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences in parameters
Unusual file access patterns from the application service
Failed file access attempts to system directories

Network Indicators:

HTTP requests with path traversal patterns in URL parameters
Unusual outbound data transfers following file read attempts

SIEM Query:

source="web_server_logs" AND (url="*../*" OR parameters="*../*") AND dest_port="application_port"

📊 Metadata

CVE ID: CVE-2024-10379

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-24

Published: October 25, 2024

Last Updated: October 30, 2024

🔗 References

https://flowus.cn/share/0b03c61a-76a5-4f45-9ee7-a88e0f21d539?code=G8A6P3 Exploit
https://vuldb.com/?ctiid.281809 Permissions Required
https://vuldb.com/?id.281809 Third Party Advisory
https://vuldb.com/?submit.426087 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10379, you might also want to check these: