CVE-2024-34882
📋 TL;DR
This vulnerability allows remote administrators in Bitrix24 to send SMTP account passwords to arbitrary external servers via HTTP POST requests due to insufficient credential protection. It affects Bitrix24 version 23.300.100 and potentially other versions. The issue enables credential exfiltration from SMTP server configurations.
💻 Affected Systems
- 1C-Bitrix Bitrix24
📦 What is this software?
Bitrix24 by Bitrix24
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain SMTP credentials, enabling email spoofing, phishing campaigns, data exfiltration via email, and potential lateral movement to other systems using the same credentials.
Likely Case
Credential theft leading to unauthorized email sending, potential account compromise if credentials are reused, and exposure of sensitive email communications.
If Mitigated
Limited impact with proper access controls, credential rotation, and network segmentation preventing external credential transmission.
🎯 Exploit Status
Exploitation requires administrator privileges. GitHub repository contains proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for latest version > 23.300.100
Vendor Advisory: http://bitrix24.com
Restart Required: No
Instructions:
1. Update Bitrix24 to latest version. 2. Check vendor advisory for specific patch details. 3. Verify SMTP configuration security after update.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to trusted personnel only and implement multi-factor authentication.
Network Segmentation
linuxBlock outbound HTTP POST requests from Bitrix24 servers to untrusted external destinations.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts with monitoring.
- Rotate all SMTP credentials and monitor for unauthorized usage.
🔍 How to Verify
Check if Vulnerable:
Check Bitrix24 version. If version is 23.300.100 or earlier, assume vulnerable. Review administrator audit logs for suspicious SMTP configuration changes.Check Version:
Check Bitrix24 admin panel or configuration files for version information.Verify Fix Applied:
Update to latest version and test SMTP configuration functionality. Verify no unauthorized credential transmission occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual SMTP configuration changes in admin logs
- HTTP POST requests from Bitrix24 to external servers containing credential-like data
Network Indicators:
- Outbound HTTP POST traffic from Bitrix24 server to unusual external IPs
- SMTP authentication attempts from unexpected locations
SIEM Query:
source="bitrix24_logs" AND (event="smtp_config_change" OR http_method="POST") AND dest_ip NOT IN (trusted_ips)