CVE-2024-21852 – CVE-2024-21852 is a Zip Slip vulnerability in R... (How to Fix)

Q: What is the severity of CVE-2024-21852?

CVE-2024-21852 has a CVSS score of 8.8 (HIGH). CVE-2024-21852 is a Zip Slip vulnerability in Rapid SCADA that allows attackers to upload malicious configuration files during unpacking, leading to arbitrary file write and remote code execution. This affects all Rapid SCADA installations prior to version 5.8.4. Industrial control systems using vulnerable versions are at risk of compromise.

📋 TL;DR

CVE-2024-21852 is a Zip Slip vulnerability in Rapid SCADA that allows attackers to upload malicious configuration files during unpacking, leading to arbitrary file write and remote code execution. This affects all Rapid SCADA installations prior to version 5.8.4. Industrial control systems using vulnerable versions are at risk of compromise.

💻 Affected Systems

Products:

Rapid SCADA

Versions: All versions prior to 5.8.4

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations where configuration file upload functionality is enabled, which is typically part of normal operations.

📦 What is this software?

Rapid Scada by Rapidscada

View all CVEs affecting Rapid Scada →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, potentially disrupting industrial operations, stealing sensitive data, or establishing persistence in critical infrastructure.

🟠

Likely Case

Attackers achieve remote code execution on SCADA servers, allowing them to manipulate industrial processes, exfiltrate operational data, or pivot to other network systems.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the SCADA server itself without affecting broader industrial processes.

🌐 Internet-Facing: HIGH - If SCADA web interface is exposed to internet, attackers can exploit remotely without internal access.

🏢 Internal Only: HIGH - Even internally, any user with upload access can exploit this vulnerability to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload configuration files, which typically requires some level of access to the SCADA interface. The vulnerability is in the unpacking routine, making exploitation straightforward once file upload is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.4

Vendor Advisory: https://rapidscada.org/contact/

Restart Required: Yes

Instructions:

1. Download Rapid SCADA version 5.8.4 or later from official vendor site. 2. Backup current configuration and data. 3. Stop all Rapid SCADA services. 4. Install the updated version. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Disable configuration file upload

all

Temporarily disable the ability to upload configuration files through the SCADA interface

Implement file upload validation

all

Add server-side validation to reject configuration files containing path traversal sequences

🧯 If You Can't Patch

Implement strict network segmentation to isolate SCADA systems from general corporate networks
Deploy application allowlisting to prevent execution of unauthorized binaries on SCADA servers

🔍 How to Verify

Check if Vulnerable:

Check Rapid SCADA version in administration interface or by examining installed files. Versions below 5.8.4 are vulnerable.

Check Version:

On Windows: Check 'About' in Rapid SCADA Administrator. On Linux: Check version in /opt/rapidscada directory or via package manager.

Verify Fix Applied:

Verify version is 5.8.4 or higher in administration interface and test configuration file upload functionality with safe test files.

📡 Detection & Monitoring

Log Indicators:

Unusual configuration file uploads
Path traversal patterns in file names
Unexpected file writes outside expected directories

Network Indicators:

Unusual uploads to SCADA web interface
Suspicious file transfer patterns to SCADA servers

SIEM Query:

source="rapidscada" AND (event="file_upload" AND (filename CONTAINS ".." OR filename CONTAINS "/" OR filename CONTAINS "\"))

📊 Metadata

CVE ID: CVE-2024-21852

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 1, 2024

Last Updated: November 21, 2024

🔗 References

https://rapidscada.org/contact/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 Third Party Advisory,US Government Resource
https://rapidscada.org/contact/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21852, you might also want to check these: