CVE-2024-26478
📋 TL;DR
This vulnerability in Statping-ng v0.91.0 allows attackers to retrieve sensitive user information through unauthorized API requests to the /api/users endpoint. It affects all systems running the vulnerable version of Statping-ng, which is a self-hosted status page monitoring tool. The exposure of user data could include usernames, email addresses, and potentially other account details.
💻 Affected Systems
- Statping-ng
📦 What is this software?
Statping Ng by Statping Ng
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain complete user databases including usernames, email addresses, and potentially hashed passwords, leading to credential stuffing attacks, targeted phishing campaigns, or identity theft.
Likely Case
Unauthorized access to user information including usernames and email addresses, which could be used for targeted attacks or reconnaissance.
If Mitigated
With proper network segmentation and access controls, impact is limited to internal reconnaissance only.
🎯 Exploit Status
Proof of concept code is publicly available on GitHub. Exploitation requires only HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.92.0 or later
Vendor Advisory: https://github.com/statping-ng/statping-ng
Restart Required: Yes
Instructions:
1. Backup your Statping-ng configuration and database. 2. Stop the Statping-ng service. 3. Update to v0.92.0 or later from the official GitHub repository. 4. Restart the Statping-ng service. 5. Verify the fix by testing the /api/users endpoint.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the Statping-ng API endpoints using firewall rules or reverse proxy configurations.
iptables -A INPUT -p tcp --dport [STATPING_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [STATPING_PORT] -j DROP
Reverse Proxy Authentication
allPlace Statping-ng behind a reverse proxy with authentication requirements for API endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Statping-ng from untrusted networks
- Deploy a web application firewall (WAF) with rules to block unauthorized access to /api/users endpoint
🔍 How to Verify
Check if Vulnerable:
Send a GET request to http://[statping_host]:[port]/api/users and check if user data is returned without authentication.Check Version:
Check the Statping-ng web interface dashboard or run: docker ps | grep statping (if using Docker)Verify Fix Applied:
After patching, attempt the same GET request to /api/users endpoint - it should return an authentication error or empty response.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthorized requests to /api/users endpoint
- 401/403 errors followed by successful 200 responses to /api/users
Network Indicators:
- Unusual traffic patterns to /api/users endpoint from external IPs
- GET requests to /api/users without authentication headers
SIEM Query:
source="statping-ng" AND (uri_path="/api/users" AND response_code=200) AND NOT (user_agent contains "browser" OR authenticated_user exists)