CVE-2024-32406
📋 TL;DR
This CVE describes a Server-Side Template Injection (SSTI) vulnerability in the Relate Learning and Teaching System that allows remote attackers to execute arbitrary code via the Batch-Issue Exam Tickets function. Attackers can achieve remote code execution on affected servers. Organizations running Relate versions before 2024.1 are affected.
💻 Affected Systems
- Relate Learning and Teaching System
📦 What is this software?
Relate by Inducer
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the server, potentially accessing student data, exam materials, and administrative credentials, leading to data breach and system disruption.
If Mitigated
With proper network segmentation and least privilege, impact limited to the application server with no lateral movement to critical systems.
🎯 Exploit Status
Exploitation requires authentication to access the vulnerable function, but once accessed, the SSTI payload execution is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1
Vendor Advisory: https://github.com/inducer/relate/releases/tag/2024.1
Restart Required: Yes
Instructions:
1. Backup your Relate installation and database. 2. Update to Relate version 2024.1 or later using pip: 'pip install --upgrade relate>=2024.1'. 3. Restart the Relate service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Batch-Issue Exam Tickets Function
allTemporarily disable or restrict access to the vulnerable Batch-Issue Exam Tickets function until patching can be completed.
# Modify Relate configuration to remove/disable the vulnerable endpoint
# Implementation depends on your specific deployment configuration
Implement WAF Rules
allDeploy Web Application Firewall rules to block SSTI payload patterns in requests to the vulnerable endpoint.
# Example ModSecurity rule: SecRule ARGS "\{\{.*\}\}" "id:1001,phase:2,deny,msg:'SSTI attempt detected'"
# Implementation varies by WAF platform
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Relate servers from critical systems
- Apply principle of least privilege to Relate service accounts and restrict shell access
🔍 How to Verify
Check if Vulnerable:
Check your Relate version. If it's older than 2024.1, you are vulnerable. Also review access logs for suspicious requests to the Batch-Issue Exam Tickets endpoint.Check Version:
python -c "import relate; print(relate.__version__)" or check the Relate admin interfaceVerify Fix Applied:
After updating, confirm the version is 2024.1 or newer and test that the Batch-Issue Exam Tickets function works without allowing template injection.📡 Detection & Monitoring
Log Indicators:
- Unusual template syntax in POST requests to exam ticket endpoints
- Multiple failed authentication attempts followed by successful access to vulnerable function
- Commands like 'os.system', 'subprocess', or 'eval' in request parameters
Network Indicators:
- Unusual outbound connections from Relate server to external IPs
- Large data exfiltration from the Relate server
SIEM Query:
source="relate-logs" AND (uri_path="/exam/tickets/batch" AND (request_body="{{*" OR request_body="${*" OR request_body="*|*"))