CVE-2024-33879
📋 TL;DR
This vulnerability in Virto Bulk File Download for SharePoint allows attackers to download and delete arbitrary files on the server via path traversal in the isCompleted method. It affects VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019 installations. Attackers can exploit this without authentication to access sensitive system files.
💻 Affected Systems
- VirtoSoftware Virto Bulk File Download
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading/deleting critical system files, potentially leading to data exfiltration, ransomware deployment, or service disruption.
Likely Case
Unauthorized access to sensitive SharePoint files, configuration files, or system files, leading to data theft or partial system compromise.
If Mitigated
Limited impact if proper network segmentation, file system permissions, and monitoring are in place to detect and block traversal attempts.
🎯 Exploit Status
Exploitation requires only HTTP requests with crafted path parameters. No authentication needed based on CVE description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor documentation for latest secure version
Vendor Advisory: https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
Restart Required: Yes
Instructions:
1. Review vendor security documentation. 2. Download and install latest patched version from VirtoSoftware. 3. Restart SharePoint services. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Block vulnerable endpoint
windowsRestrict access to the vulnerable Virto.SharePoint.FileDownloader/Api/Download.ashx endpoint
IIS URL Rewrite rule to block /Virto.SharePoint.FileDownloader/Api/Download.ashx
Network segmentation
allIsolate SharePoint server from untrusted networks
🧯 If You Can't Patch
- Implement strict file system permissions to limit what the SharePoint application pool account can access
- Deploy WAF rules to detect and block path traversal patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check if Virto Bulk File Download version 5.5.44 is installed in SharePoint 2019 environmentCheck Version:
Check SharePoint solution gallery or VirtoSoftware administration panel for version informationVerify Fix Applied:
Verify updated to version later than 5.5.44 and test the Download.ashx endpoint with traversal attempts📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /Virto.SharePoint.FileDownloader/Api/Download.ashx with ../ patterns
- File access events from SharePoint process to unexpected system paths
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) to the vulnerable endpoint
SIEM Query:
source="iis" AND cs_uri_stem="/Virto.SharePoint.FileDownloader/Api/Download.ashx" AND cs_uri_query CONTAINS ".."🔗 References
- https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
- https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf
- https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
- https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf
