CVE-2024-42349
📋 TL;DR
FOG Server versions 1.5.10.41.4 and earlier store login logs in publicly accessible web server directories, exposing usernames, IP addresses, and user agents. This information disclosure vulnerability affects all FOG Server administrators using vulnerable versions. Attackers can gather reconnaissance data about legitimate users and potentially identify admin accounts.
💻 Affected Systems
- FOG Server
📦 What is this software?
Fogproject by Fogproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain admin credentials through credential stuffing or targeted attacks using exposed usernames, leading to full system compromise and unauthorized access to the cloning/imaging system.
Likely Case
Attackers gather reconnaissance data about legitimate users, identify admin accounts, and use this information for targeted phishing or credential stuffing attacks.
If Mitigated
Limited exposure of non-sensitive metadata that doesn't directly enable system compromise but still reveals user patterns.
🎯 Exploit Status
Exploitation requires only HTTP access to web server root directory where logs are stored.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.10.47
Vendor Advisory: https://github.com/FOGProject/fogproject/security/advisories/GHSA-697m-3c4p-g29h
Restart Required: No
Instructions:
1. Backup current configuration. 2. Update FOG Server to version 1.5.10.47 or later. 3. Remove existing fog_login_accepted.log and fog_login_failed.log files from web root. 4. Verify logs are no longer accessible via web.
🔧 Temporary Workarounds
Move logs to protected directory
linuxRelocate log files outside web root and update FOG configuration
mv /var/www/html/fog_login_*.log /var/log/fog/
chmod 600 /var/log/fog/fog_login_*.log
Restrict web access to log files
linuxAdd .htaccess rules to block access to log files
echo 'Deny from all' > /var/www/html/.htaccess
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to FOG web interface
- Enable detailed logging and monitoring for unauthorized access attempts to log files
🔍 How to Verify
Check if Vulnerable:
Check if fog_login_accepted.log and fog_login_failed.log exist in web root directory and are accessible via HTTPCheck Version:
cat /var/www/html/version.php | grep FOG_VERSIONVerify Fix Applied:
Verify log files are no longer in web root and cannot be accessed via HTTP requests📡 Detection & Monitoring
Log Indicators:
- HTTP requests to fog_login_accepted.log or fog_login_failed.log files
- Unauthorized access patterns to web root
Network Indicators:
- HTTP GET requests for log files from unusual IPs
- Multiple failed login attempts followed by log file access
SIEM Query:
source="web_access_logs" AND (uri="/fog_login_accepted.log" OR uri="/fog_login_failed.log")