CVE-2024-28064
📋 TL;DR
CVE-2024-28064 is a critical path traversal vulnerability in Kiteworks Totemomail that allows unauthenticated attackers to read, delete, and write arbitrary files on the server. This affects Totemomail 7.x and 8.x before version 8.3.0. The vulnerability is exploitable via the /responsiveUI/EnvelopeOpenServlet endpoint with specific parameters.
💻 Affected Systems
- Kiteworks Totemomail
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including data exfiltration, file destruction, backdoor installation, and potential lateral movement to other systems.
Likely Case
Unauthorized access to sensitive email data, configuration files, and credentials stored on the server, potentially leading to data breach and system manipulation.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and access controls prevent exploitation attempts.
🎯 Exploit Status
Detailed technical advisory with exploitation details is publicly available. The vulnerability requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.0
Vendor Advisory: https://www.objectif-securite.ch/advisories/totemomail-path-traversal.txt
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download Totemomail version 8.3.0 or later from official vendor sources. 3. Follow vendor upgrade documentation to apply the patch. 4. Restart the Totemomail service. 5. Verify the fix is applied.
🔧 Temporary Workarounds
WAF Rule Implementation
allImplement web application firewall rules to block path traversal patterns in requests to /responsiveUI/EnvelopeOpenServlet
WAF-specific configuration commands vary by platform
Access Control Restriction
linuxRestrict network access to Totemomail interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport [totemomail-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [totemomail-port] -j DROP
🧯 If You Can't Patch
- Immediately isolate the Totemomail server from internet access and restrict to internal trusted networks only.
- Implement strict monitoring and alerting for any access attempts to the vulnerable endpoint with path traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Check if Totemomail version is below 8.3.0 and test for path traversal via /responsiveUI/EnvelopeOpenServlet with messageId parameter containing ../ sequences.Check Version:
Check Totemomail admin interface or configuration files for version information specific to your deployment.Verify Fix Applied:
Verify Totemomail version is 8.3.0 or higher and test that path traversal attempts via the vulnerable endpoint are properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /responsiveUI/EnvelopeOpenServlet with ../ sequences in parameters
- Unusual file access patterns from web server process
- Failed file operations from web application
Network Indicators:
- HTTP requests containing path traversal patterns (../, ..\, %2e%2e%2f)
- Unusual outbound data transfers from Totemomail server
SIEM Query:
source="totemomail_logs" AND (uri_path="/responsiveUI/EnvelopeOpenServlet" AND (param="../" OR param="..\\" OR param LIKE "%..%"))