CVE-2024-34060
📋 TL;DR
CVE-2024-34060 is an arbitrary file write vulnerability in IrisEVTXModule that allows attackers to write malicious files to the server during EVTX file uploads. When combined with Server Side Template Injection (SSTI), this can lead to remote code execution. Organizations using IrisEVTXModule versions before 1.0.0 are affected.
💻 Affected Systems
- IrisEVTXModule
- iris-evtx-module
- Evtx2Splunk with Iris integration
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Arbitrary file write enabling file manipulation, potential data corruption, and preparation for further exploitation.
If Mitigated
Limited to file system manipulation without RCE if SSTI is properly mitigated or disabled.
🎯 Exploit Status
Exploitation requires chaining with SSTI for RCE, but arbitrary file write alone is simpler. No public exploit code identified yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0
Vendor Advisory: https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm
Restart Required: Yes
Instructions:
1. Stop iris-web service. 2. Update iris-evtx-module to version 1.0.0 via pip: 'pip install iris-evtx-module==1.0.0'. 3. Restart iris-web service. 4. Verify the fix by checking module version.
🔧 Temporary Workarounds
Disable EVTX upload functionality
allTemporarily disable the vulnerable EVTX file upload pipeline in iris-web configuration
Edit iris-web configuration to disable iris-evtx-module or EVTX processing
Implement file upload restrictions
allConfigure web application firewall or reverse proxy to restrict EVTX file uploads
🧯 If You Can't Patch
- Implement strict file upload validation and sanitization at the application layer
- Deploy network segmentation to isolate iris-web instances from critical systems
🔍 How to Verify
Check if Vulnerable:
Check iris-evtx-module version: 'pip show iris-evtx-module' and verify if version is <1.0.0Check Version:
pip show iris-evtx-module | grep VersionVerify Fix Applied:
Confirm version is 1.0.0 or higher: 'pip show iris-evtx-module | grep Version'📡 Detection & Monitoring
Log Indicators:
- Unusual EVTX file uploads with suspicious filenames
- File write operations to unexpected locations
- SSTI-related error messages in application logs
Network Indicators:
- Multiple EVTX file upload attempts
- Unusual outbound connections from iris-web server
SIEM Query:
source="iris-web" AND (event="file_upload" OR event="evtx_processing") AND filename CONTAINS ".." OR filename CONTAINS "/"🔗 References
- https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca
- https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm
- https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca
- https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm
