CVE-2024-21855 – CVE-2024-21855 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2024-21855?

CVE-2024-21855 has a CVSS score of 9.8 (CRITICAL). CVE-2024-21855 is an unauthenticated remote code execution vulnerability in GoCast 1.1.3's HTTP API. Attackers can send specially crafted HTTP requests to execute arbitrary commands without authentication. This affects all systems running the vulnerable GoCast version with HTTP API exposed.

📋 TL;DR

CVE-2024-21855 is an unauthenticated remote code execution vulnerability in GoCast 1.1.3's HTTP API. Attackers can send specially crafted HTTP requests to execute arbitrary commands without authentication. This affects all systems running the vulnerable GoCast version with HTTP API exposed.

💻 Affected Systems

Products:

GoCast

Versions: 1.1.3

Operating Systems: All platforms running GoCast

Default Config Vulnerable: ⚠️ Yes

Notes: Any system with GoCast 1.1.3 HTTP API accessible is vulnerable by default.

📦 What is this software?

Gocast by Mayuresh82

View all CVEs affecting Gocast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or botnet recruitment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.

🏢 Internal Only: HIGH - Even internal attackers can exploit without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in Talos Intelligence reports. Simple HTTP request triggers the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider workarounds or discontinuing use of GoCast 1.1.3.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to GoCast HTTP API using firewall rules.

iptables -A INPUT -p tcp --dport [GOCAST_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [GOCAST_PORT] -j DROP

Disable HTTP API

all

Disable the vulnerable HTTP API functionality if not required.

Edit GoCast configuration to disable HTTP API or remove HTTP listener

🧯 If You Can't Patch

Isolate GoCast systems in a restricted network segment with no internet access.
Implement strict network monitoring and alerting for suspicious HTTP requests to GoCast API endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if GoCast version is 1.1.3 and HTTP API is accessible. Use: curl -v http://[TARGET]:[PORT]/api/endpoints

Check Version:

Check GoCast configuration files or process output for version information.

Verify Fix Applied:

Verify HTTP API is no longer accessible or restricted to trusted sources only.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to GoCast API endpoints
Command execution patterns in system logs

Network Indicators:

HTTP POST/PUT requests to GoCast API with command injection patterns
Outbound connections from GoCast system to unknown destinations

SIEM Query:

source="goast.log" AND (http_method="POST" OR http_method="PUT") AND uri="/api/*" AND (content="cmd" OR content="exec" OR content="system")

📊 Metadata

CVE ID: CVE-2024-21855

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: November 21, 2024

Last Updated: December 20, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1962 Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1962 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21855, you might also want to check these: