CVE-2024-39943
📋 TL;DR
This vulnerability allows remote authenticated users with upload permissions to execute arbitrary operating system commands on rejetto HFS servers. The issue occurs because the application uses execSync instead of spawnSync when executing the df command, enabling command injection. Affected systems include HFS version 3 before 0.52.10 running on Linux, UNIX, and macOS platforms.
💻 Affected Systems
- rejetto HFS (HTTP File Server)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote authenticated attackers gaining root/administrator privileges, allowing data theft, ransomware deployment, or complete system takeover.
Likely Case
Authenticated attackers with upload permissions execute arbitrary commands to steal data, install backdoors, or pivot to other systems in the network.
If Mitigated
Limited impact with proper network segmentation, minimal user privileges, and command execution restrictions in place.
🎯 Exploit Status
Exploitation requires authenticated access with upload permissions. The vulnerability is a classic command injection issue with clear exploitation path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.52.10
Vendor Advisory: https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
Restart Required: Yes
Instructions:
1. Download HFS version 0.52.10 or later from the official repository. 2. Stop the running HFS service. 3. Replace the existing installation with the patched version. 4. Restart the HFS service.
🔧 Temporary Workarounds
Remove upload permissions
allRemove upload permissions from all authenticated users to prevent exploitation
Modify HFS configuration to remove upload permissions from user accounts
Network segmentation
allIsolate HFS servers from critical systems and restrict network access
Configure firewall rules to limit HFS server network access
🧯 If You Can't Patch
- Immediately remove upload permissions from all user accounts
- Isolate affected systems from production networks and implement strict network access controls
🔍 How to Verify
Check if Vulnerable:
Check HFS version number in the web interface or configuration files. Versions 3 before 0.52.10 are vulnerable.Check Version:
Check the HFS web interface or examine package/installation version informationVerify Fix Applied:
Verify the version is 0.52.10 or later and check that the commit 305381bd36eee074fb238b64302a252668daad1d is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Multiple failed authentication attempts followed by successful login and upload activity
- Suspicious process creation from HFS service account
Network Indicators:
- Unexpected outbound connections from HFS server
- Unusual upload patterns to HFS server
SIEM Query:
Process creation where parent process is HFS service and command contains shell metacharacters or unusual system commands🔗 References
- https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
- https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10
- https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads
- https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
- https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10
- https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads
