CVE-2024-37352
📋 TL;DR
This cross-site scripting vulnerability in Absolute Secure Access management UI allows attackers with administrator permissions to inject malicious scripts that execute when other administrators view affected pages. Only administrators are affected, and exploitation requires authenticated access. The vulnerability can disrupt administrative operations but doesn't compromise confidentiality.
💻 Affected Systems
- Absolute Secure Access
📦 What is this software?
Secure Access by Absolute
⚠️ Risk & Real-World Impact
Worst Case
Malicious administrator could inject persistent scripts that disrupt all administrative operations, potentially causing configuration changes or denial of administrative access.
Likely Case
Privileged administrator could inject scripts that temporarily disrupt other administrators' use of the management interface, requiring page refresh or logout/login to resolve.
If Mitigated
With proper administrator vetting and monitoring, impact is minimal as exploitation requires privileged credentials and only affects UI functionality.
🎯 Exploit Status
Exploitation requires administrator credentials and knowledge of the vulnerable endpoint. Attackers need to be authenticated as administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.06
Vendor Advisory: https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1306/cve-2024-37352/
Restart Required: Yes
Instructions:
1. Download Absolute Secure Access version 13.06 from vendor portal. 2. Backup current configuration. 3. Apply the update following vendor documentation. 4. Restart the Secure Access service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit the number of administrators and implement strict access controls to reduce attack surface.
Implement Content Security Policy
allAdd CSP headers to restrict script execution in the management UI.
🧯 If You Can't Patch
- Implement strict administrator account monitoring and review all administrative actions
- Segment administrative networks and restrict access to management UI from trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check the Absolute Secure Access version in the management UI under System > About. If version is below 13.06, the system is vulnerable.Check Version:
Check via management UI: System > About, or via CLI if available in your deployment.Verify Fix Applied:
After updating to 13.06, verify the version in System > About shows 13.06 or higher. Test the previously vulnerable management UI pages for script injection.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator login patterns
- Multiple failed login attempts followed by successful login
- Administrative actions from unexpected locations/times
Network Indicators:
- Unusual traffic patterns to management UI endpoints
- Multiple administrator sessions from same credentials
SIEM Query:
source="secure_access_logs" AND (event_type="admin_login" OR event_type="admin_action") AND (user_agent contains suspicious_pattern OR src_ip in suspicious_ip_list)