CVE-2024-34887
📋 TL;DR
This vulnerability allows remote administrators in Bitrix24 to exfiltrate AD/LDAP administrator account passwords to arbitrary external servers via HTTP POST requests. It affects Bitrix24 installations with AD/LDAP integration configured. The issue stems from insufficient credential protection in server settings.
💻 Affected Systems
- 1C-Bitrix Bitrix24
📦 What is this software?
Bitrix24 by Bitrix24
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain AD/LDAP domain administrator credentials, enabling full domain compromise, lateral movement, and data exfiltration.
Likely Case
Credential theft leading to unauthorized access to directory services and potential privilege escalation within the network.
If Mitigated
Limited to credential exposure without immediate exploitation if strong network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires administrator privileges in Bitrix24. Public proof-of-concept code is available in the referenced GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.300.200 or later
Vendor Advisory: http://bitrix24.com
Restart Required: No
Instructions:
1. Log into Bitrix24 admin panel. 2. Navigate to System Settings > Updates. 3. Apply available updates to version 23.300.200 or higher. 4. Verify AD/LDAP settings are properly configured post-update.
🔧 Temporary Workarounds
Disable AD/LDAP Integration
allTemporarily disable AD/LDAP server integration until patching is possible.
Navigate to Bitrix24 admin panel > Settings > LDAP/AD and disable integration
Restrict Administrator Access
allLimit Bitrix24 administrator accounts to trusted personnel only.
Review and reduce administrator privileges in Bitrix24 user management
🧯 If You Can't Patch
- Implement network segmentation to isolate Bitrix24 server from AD/LDAP infrastructure
- Enable detailed logging and monitoring of all HTTP POST requests from Bitrix24 to external servers
🔍 How to Verify
Check if Vulnerable:
Check Bitrix24 version in admin panel and verify if AD/LDAP integration is enabled.Check Version:
Check version in Bitrix24 admin dashboard under System InformationVerify Fix Applied:
Confirm version is 23.300.200 or higher and test AD/LDAP functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests from Bitrix24 to external IP addresses
- Multiple failed AD/LDAP authentication attempts following credential changes
Network Indicators:
- Outbound HTTP traffic from Bitrix24 server to unfamiliar domains/IPs
- Unencrypted credential transmission in network captures
SIEM Query:
source="bitrix24" AND (http_method="POST" AND dest_ip NOT IN [allowed_servers])