CVE-2024-41628
📋 TL;DR
This CVE describes a directory traversal vulnerability in Severalnines Cluster Control's CMON API that allows remote attackers to read arbitrary files on the server. Attackers can exploit this to include and display sensitive file content via HTTP requests. Organizations running vulnerable versions of Severalnines Cluster Control are affected.
💻 Affected Systems
- Severalnines Cluster Control
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive configuration files, credentials, or private keys leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive system files, configuration data, and potentially credential theft.
If Mitigated
Limited impact with proper network segmentation, API authentication, and file permission restrictions.
🎯 Exploit Status
GitHub repository contains proof-of-concept exploit code. Directory traversal vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.8-9778, 2.0.0-9779, or 2.1.0-9780
Vendor Advisory: https://docs.severalnines.com/docs/clustercontrol/changelogs/changes-in-v1-9-8/#maintenance-release-july-24th-2024
Restart Required: Yes
Instructions:
1. Backup your configuration. 2. Update to the patched version using your package manager. 3. Restart the Cluster Control service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict CMON API Access
linuxLimit network access to the CMON API using firewall rules to only trusted IP addresses.
iptables -A INPUT -p tcp --dport [CMON_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [CMON_PORT] -j DROP
Implement Web Application Firewall
allDeploy a WAF with directory traversal protection rules to block malicious requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cluster Control from untrusted networks
- Enable authentication and authorization for all API endpoints if not already configured
🔍 How to Verify
Check if Vulnerable:
Check your Cluster Control version against affected versions. Test with a safe directory traversal payload to /cmonapi endpoint.Check Version:
cmon --version or check package manager (apt show clustercontrol or yum info clustercontrol)Verify Fix Applied:
Verify version is updated to patched version and test that directory traversal attempts return appropriate error responses.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or directory traversal patterns to CMON API endpoints
- Unusual file access patterns from API users
Network Indicators:
- HTTP requests with path traversal sequences to Cluster Control API ports
SIEM Query:
source="clustercontrol" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*")🔗 References
- http://clustercontrol.com
- http://severalnines.com
- https://docs.severalnines.com/docs/clustercontrol/changelogs/changes-in-v1-9-8/#maintenance-release-july-24th-2024
- https://docs.severalnines.com/docs/clustercontrol/changelogs/changes-in-v2-1-0/
- https://github.com/Redshift-CyberSecurity/CVE-2024-41628
- http://clustercontrol.com
- http://severalnines.com
- https://docs.severalnines.com/docs/clustercontrol/changelogs/changes-in-v1-9-8/#maintenance-release-july-24th-2024
- https://docs.severalnines.com/docs/clustercontrol/changelogs/changes-in-v2-1-0/
