CVE-2024-23831
📋 TL;DR
This is a Cross-Site Request Forgery (CSRF) vulnerability in LedgerSMB that allows attackers to trick authenticated database administrators into unknowingly creating new user accounts with full application privileges. Attackers can exploit this by getting an admin to click a malicious link while logged into the setup interface. This affects all LedgerSMB installations with database administrators using the setup.pl interface.
💻 Affected Systems
- LedgerSMB
📦 What is this software?
Ledgersmb by Ledgersmb
Ledgersmb by Ledgersmb
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the accounting system with attacker creating administrative accounts, accessing financial data, and potentially modifying or deleting critical accounting records.
Likely Case
Unauthorized user creation leading to privilege escalation, data theft, and potential financial fraud within the accounting system.
If Mitigated
Limited impact if administrators use separate accounts for setup activities and follow security best practices for session management.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated admin into clicking malicious link
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.30 or 1.11.9
Vendor Advisory: https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
Restart Required: Yes
Instructions:
1. Backup your database and configuration. 2. Update LedgerSMB to version 1.10.30 (stable branch) or 1.11.9 (development branch). 3. Restart the web application server. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Restrict Setup Access
allLimit access to /setup.pl interface to specific trusted IP addresses or networks only
# Configure web server (Apache/Nginx) to restrict access to /setup.pl
Use Separate Admin Accounts
allCreate separate administrator accounts specifically for setup activities and use different accounts for regular operations
🧯 If You Can't Patch
- Implement strict access controls to /setup.pl interface using network segmentation
- Require administrators to use separate browser sessions or incognito mode for setup activities
🔍 How to Verify
Check if Vulnerable:
Check if LedgerSMB version is below 1.10.30 (for 1.10.x) or below 1.11.9 (for 1.11.x)Check Version:
Check LedgerSMB web interface footer or examine package version via system package managerVerify Fix Applied:
Verify version is 1.10.30 or higher (stable) or 1.11.9 or higher (development)📡 Detection & Monitoring
Log Indicators:
- Unexpected user creation events
- Multiple failed login attempts followed by successful admin login
- Access to /setup.pl from unusual IP addresses
Network Indicators:
- HTTP POST requests to /setup.pl with user creation parameters from unexpected sources
SIEM Query:
source="web_logs" AND (uri="/setup.pl" AND method="POST" AND (params CONTAINS "newuser" OR params CONTAINS "action=create"))🔗 References
- https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165
- https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
- https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165
- https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
