CVE-2024-22107
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands on GTB Central Console systems through command injection in the DNS settings endpoint. Attackers can compromise the entire platform by injecting malicious commands. Only GTB Central Console version 15.17.1-30814.NG is affected.
💻 Affected Systems
- GTB Central Console
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with web server privileges, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Authenticated attacker gains remote code execution on the web server, potentially accessing sensitive data and system resources.
If Mitigated
With proper authentication controls and network segmentation, impact is limited to the web application server only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates or consider workarounds.
🔧 Temporary Workarounds
Block vulnerable endpoint
linuxAdd web application firewall rule or reverse proxy configuration to block access to the vulnerable endpoint.
# Example nginx location block:
location /old/react/v1/api/system/dns/data {
deny all;
return 403;
}
Restrict network access
linuxLimit access to the GTB Central Console interface to trusted IP addresses only.
# Example iptables rule:
iptables -A INPUT -p tcp --dport [WEB_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [WEB_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for suspicious login attempts
- Segment the GTB Central Console server from critical infrastructure and implement network monitoring
🔍 How to Verify
Check if Vulnerable:
Check if running GTB Central Console version 15.17.1-30814.NG and test the /old/react/v1/api/system/dns/data endpoint with authenticated access.Check Version:
Check the application version in the web interface or configuration files.Verify Fix Applied:
Verify the endpoint is no longer accessible or properly sanitizes input after implementing workarounds.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /old/react/v1/api/system/dns/data
- Suspicious command execution in web server logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from the web server
- DNS queries to suspicious domains from the server
SIEM Query:
source="web_server_logs" AND (uri="/old/react/v1/api/system/dns/data" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")