CVE-2024-24398
📋 TL;DR
This CVE describes a critical directory traversal vulnerability in Stimulsoft Dashboard.JS that allows remote attackers to execute arbitrary code by sending a crafted payload to the fileName parameter of the Save function. All systems running vulnerable versions of Stimulsoft Dashboard.JS are affected, particularly those exposed to untrusted user input.
💻 Affected Systems
- Stimulsoft Dashboard.JS
📦 What is this software?
Dashboards.php by Stimulsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Remote code execution leading to data exfiltration, installation of backdoors, or deployment of malware on affected systems.
If Mitigated
Limited impact with proper network segmentation, input validation, and least privilege principles in place, potentially reducing to denial of service or limited file access.
🎯 Exploit Status
The vulnerability requires sending a crafted payload to the fileName parameter, which is straightforward for attackers with basic knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.2
Vendor Advisory: http://stimulsoft.com
Restart Required: Yes
Instructions:
1. Download Stimulsoft Dashboard.JS version 2024.1.2 or later from the official vendor website.
2. Replace the existing Stimulsoft Dashboard.JS files with the updated version.
3. Restart the application or web server hosting Stimulsoft Dashboard.JS.
4. Verify the update by checking the version number in the application settings or configuration files.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any file names containing directory traversal sequences (e.g., '../', '..\').
Implement server-side validation to check fileName parameter for traversal patterns before processing.
Network Segmentation and Access Control
allRestrict network access to the Stimulsoft Dashboard.JS application to trusted IP addresses only.
Configure firewall rules to allow access only from authorized networks or IP ranges.
🧯 If You Can't Patch
- Disable or restrict access to the Save function in Stimulsoft Dashboard.JS if not required for business operations.
- Implement a web application firewall (WAF) with rules to block directory traversal payloads targeting the fileName parameter.
🔍 How to Verify
Check if Vulnerable:
Check the version of Stimulsoft Dashboard.JS installed; if it is earlier than 2024.1.2, the system is vulnerable.Check Version:
Check the Stimulsoft Dashboard.JS documentation or configuration files for version information; there is no universal command as it depends on the deployment method.Verify Fix Applied:
Confirm that the Stimulsoft Dashboard.JS version is 2024.1.2 or later by checking the version in the application or configuration files.📡 Detection & Monitoring
Log Indicators:
- Unusual file access attempts in server logs, especially involving directory traversal sequences (e.g., '../') in file names.
- Failed or successful attempts to access the Save function with suspicious payloads.
Network Indicators:
- HTTP requests to the Save function with crafted fileName parameters containing traversal sequences.
- Unusual outbound connections from the server post-exploitation.
SIEM Query:
Search for HTTP requests containing patterns like '*../*' or '*..\\*' in the fileName parameter to the Save endpoint.