CVE-2024-37767
📋 TL;DR
This vulnerability allows attackers to access all user information in 14Finger v1.1 through insecure permissions in the /api/admin/user component. Attackers can exploit this by sending a crafted GET request without proper authentication. Any organization using the vulnerable version of 14Finger is affected.
💻 Affected Systems
- 14Finger
📦 What is this software?
14finger by B1ackc4t
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user data including usernames, emails, and potentially sensitive information, leading to data breach, identity theft, or credential harvesting attacks.
Likely Case
Unauthorized access to user information enabling reconnaissance, targeted attacks, or data exfiltration.
If Mitigated
Limited or no impact if proper access controls, network segmentation, and authentication mechanisms are implemented.
🎯 Exploit Status
The exploit requires only a crafted GET request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/b1ackc4t/14Finger/issues/12
Restart Required: No
Instructions:
Check the GitHub repository for updates. If no patch is available, consider implementing workarounds or migrating to a different solution.
🔧 Temporary Workarounds
Restrict API Access
allImplement access controls to restrict access to the /api/admin/user endpoint to authorized users only.
# Example using web server config (nginx)
location /api/admin/user {
deny all;
# Or implement proper authentication
}
Network Segmentation
linuxRestrict network access to the 14Finger instance to trusted IP addresses only.
# Example using iptables
sudo iptables -A INPUT -p tcp --dport [14Finger_PORT] -s [TRUSTED_IP] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [14Finger_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure.
- Monitor logs for unauthorized access attempts to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Send a GET request to /api/admin/user endpoint and check if it returns user information without authentication.Check Version:
Check the application version in the web interface or configuration files.Verify Fix Applied:
After implementing controls, verify that unauthorized requests to /api/admin/user are blocked or return appropriate error responses.📡 Detection & Monitoring
Log Indicators:
- Unauthorized GET requests to /api/admin/user endpoint
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- Unusual traffic patterns to the /api/admin/user endpoint
- Requests from unexpected IP addresses
SIEM Query:
source="web_server_logs" AND uri="/api/admin/user" AND response_code=200 AND NOT user_agent="authorized_client"