CVE-2024-29843
📋 TL;DR
The Evolution Controller web interface contains an access control vulnerability in the MOBILE_GET_USERS_LIST endpoint that allows unauthenticated attackers to enumerate all users and their access levels. This affects Evolution Controller versions 2.04.560.31.03.2024 and below. Attackers can gather sensitive user information without authentication.
💻 Affected Systems
- Evolution Controller
📦 What is this software?
Evolution by Cs Technologies
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain complete user directory with access levels, enabling targeted credential attacks, privilege escalation, or lateral movement within the system.
Likely Case
Attackers harvest user accounts and access levels to identify high-privilege targets for credential stuffing or social engineering attacks.
If Mitigated
Limited information disclosure with no direct system compromise, but still provides reconnaissance data to attackers.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint. No authentication required. Likely to be weaponized due to low complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version above 2.04.560.31.03.2024
Vendor Advisory: https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html
Restart Required: Yes
Instructions:
1. Contact Evolution Controller vendor for patched version. 2. Backup current configuration. 3. Apply firmware update. 4. Restart controller. 5. Verify web interface functionality.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to Evolution Controller web interface to trusted networks only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Interface Disable
linuxTemporarily disable web interface if not required
systemctl stop evolution-web
chmod 000 /path/to/web/interface
🧯 If You Can't Patch
- Implement network segmentation to isolate Evolution Controller from untrusted networks
- Deploy web application firewall (WAF) with rules to block requests to MOBILE_GET_USERS_LIST endpoint
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to /MOBILE_GET_USERS_LIST endpoint without authentication. If user list is returned, system is vulnerable.Check Version:
Check web interface login page or system information page for version numberVerify Fix Applied:
Attempt same unauthenticated request. Should return authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /MOBILE_GET_USERS_LIST
- Unusual access patterns to user enumeration endpoints
Network Indicators:
- Unusual HTTP traffic to controller web interface from untrusted sources
- Pattern of requests to sensitive endpoints without authentication
SIEM Query:
source="evolution_controller" AND (url="/MOBILE_GET_USERS_LIST" OR url="*GET_USERS*") AND auth_status="unauthenticated"