CVE-2024-25693
📋 TL;DR
This path traversal vulnerability in Esri Portal for ArcGIS allows authenticated attackers to access files outside intended directories, potentially leading to sensitive data exposure or remote code execution. It affects all Portal for ArcGIS installations running versions 11.2 and earlier. Organizations using this software for geospatial data management are at risk.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote authenticated attacker gains full system compromise through arbitrary code execution, potentially accessing sensitive geospatial data, credentials, and pivoting to other systems.
Likely Case
Authenticated users or attackers with stolen credentials access sensitive configuration files, user data, or internal documents stored on the server.
If Mitigated
Attackers can only access non-sensitive files within limited directory scope due to proper access controls and monitoring.
🎯 Exploit Status
Requires authenticated access but path traversal vulnerabilities are typically straightforward to exploit once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.3 or apply Security 2024 Update 1
Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/
Restart Required: Yes
Instructions:
1. Backup your Portal for ArcGIS configuration and data. 2. Download and install Portal for ArcGIS 11.3 or Security 2024 Update 1 from the Esri Customer Care Portal. 3. Follow Esri's upgrade documentation for your specific deployment. 4. Restart all Portal for ArcGIS services.
🔧 Temporary Workarounds
Restrict authenticated user access
allTemporarily reduce attack surface by limiting authenticated user accounts to only essential personnel
Implement web application firewall rules
allBlock path traversal patterns in HTTP requests
# Example WAF rule to block directory traversal patterns
SecRule REQUEST_URI "\.\./" "id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'"
# Block common traversal patterns
SecRule ARGS "\.\./|%2e%2e%2f|%252e%252e%252f" "id:1002,phase:2,deny,status:403,msg:'Path Traversal in Parameters'"
# Block null byte injections
SecRule ARGS "%00" "id:1003,phase:2,deny,status:403,msg:'Null Byte Injection'"
# Block encoded slashes
SecRule REQUEST_URI "%2f|%5c" "id:1004,phase:1,deny,status:403,msg:'Encoded Slash Attempt'"
# Block double encoding attempts
SecRule REQUEST_URI "%25" "id:1005,phase:1,deny,status:403,msg:'Double Encoding Attempt'"
🧯 If You Can't Patch
- Isolate Portal for ArcGIS servers from sensitive network segments and implement strict network segmentation
- Implement enhanced monitoring for file access patterns and alert on unusual directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check Portal for ArcGIS version in Administration > Settings > General. If version is 11.2 or earlier, the system is vulnerable.Check Version:
On Portal server: Check version in Portal Administrator Directory at https://portal.domain.com/portaladmin or via command line: portal --versionVerify Fix Applied:
Verify version shows 11.3 or later in Administration > Settings > General. Test authenticated file access attempts with traversal patterns should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Portal logs
- HTTP requests containing '../', '..\', or encoded traversal sequences
- Failed authentication attempts followed by successful logins and file access
Network Indicators:
- HTTP requests with path traversal sequences in URLs or parameters
- Unusual outbound connections from Portal servers after file access
SIEM Query:
source="portal_logs" AND (uri="*../*" OR uri="*..\\*" OR params="*../*" OR params="*..\\*")