CVE-2024-12643
📋 TL;DR
The tbm-client from Chunghwa Telecom has two vulnerabilities: lack of CSRF protection in APIs allowing unauthenticated remote attacks via phishing, and an absolute path traversal vulnerability in one API enabling arbitrary file deletion. This affects users running the vulnerable tbm-client software. Attackers can delete critical system files remotely without authentication.
💻 Affected Systems
- Chunghwa Telecom tbm-client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via deletion of critical operating system files, leading to system instability, data loss, or rendering the system inoperable.
Likely Case
Targeted deletion of user files, configuration files, or application data causing service disruption and potential data loss.
If Mitigated
Limited impact if network segmentation prevents external access and proper file permissions restrict deletion of critical system files.
🎯 Exploit Status
Exploitation requires tricking users into visiting malicious websites (phishing) but doesn't require authentication to the tbm-client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8301-c2f4b-2.html
Restart Required: Yes
Instructions:
1. Check the vendor advisory for patched version
2. Download and install the updated tbm-client from Chunghwa Telecom
3. Restart the system or tbm-client service
🔧 Temporary Workarounds
Disable tbm-client web server
allStop the local web server component that hosts the vulnerable APIs
Check tbm-client documentation for disabling web server functionality
Network isolation
allBlock external access to the tbm-client web server port
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source not="127.0.0.1" port port="[tbm-port]" protocol="tcp" reject'
netsh advfirewall firewall add rule name="Block tbm-client" dir=in action=block protocol=TCP localport=[tbm-port] remoteip=any
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running tbm-client from untrusted networks
- Deploy application control solutions to prevent unauthorized file deletion operations
🔍 How to Verify
Check if Vulnerable:
Check if tbm-client is running and accessible on its default port, and verify version against vendor advisoryCheck Version:
Check tbm-client documentation for version command or examine installed package versionVerify Fix Applied:
Verify tbm-client version matches patched version from vendor advisory and test API endpoints for CSRF protection📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Access to tbm-client APIs from external IP addresses
- Failed file deletion attempts with path traversal patterns
Network Indicators:
- HTTP requests to tbm-client API endpoints containing path traversal sequences (../)
- External connections to tbm-client web server port
SIEM Query:
source="*tbm-client*" AND (event="file_delete" OR uri="*../*")