Login Sign Up

CVE-2024-42363

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution through unsafe YAML deserialization in the Kubernetes plugin of the Samson deployment tool. Attackers can exploit user-controlled role parameters to execute arbitrary code on affected systems. Organizations using vulnerable versions of Samson with the Kubernetes plugin enabled are at risk.

💻 Affected Systems

Products:
  • Zendesk Samson with Kubernetes plugin
Versions: All versions prior to 3385
Operating Systems: Any OS running Samson
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Kubernetes plugin to be enabled and accessible. The vulnerability exists in the role verification controller.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy malware, or pivot to other systems in the environment.

🟠

Likely Case

Remote code execution leading to data exfiltration, privilege escalation, or deployment of cryptocurrency miners/ransomware.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and input validation are implemented, though RCE would still be possible.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication if the application is internet-facing.
🏢 Internal Only: HIGH - Even internally, this provides a significant attack vector for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit as it involves YAML deserialization, a common attack vector. No authentication is required to trigger the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3385

Vendor Advisory: https://github.com/zendesk/samson/pull/4071

Restart Required: Yes

Instructions:

1. Update Samson to version 3385 or later. 2. Apply the fix from PR #4071 which replaces YAML.load_stream with safe_load_stream. 3. Restart the Samson application.

🔧 Temporary Workarounds

Disable Kubernetes plugin

all

Temporarily disable the vulnerable Kubernetes plugin to prevent exploitation

# Check Samson configuration for plugin disabling options
# Typically in config/plugins.yml or environment variables

Network access control

linux

Restrict access to the vulnerable endpoint using network controls

# Use firewall rules to restrict access to the role verification endpoint
# Example: iptables -A INPUT -p tcp --dport <samson_port> -s <trusted_ips> -j ACCEPT

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for the role parameter
  • Deploy WAF rules to block YAML deserialization payloads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Samson version is below 3385 and the Kubernetes plugin is enabled. Review the code at plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb for unsafe YAML.load_stream usage.

Check Version:

Check Samson version in the application interface or run: grep -r 'VERSION' config/application.rb or similar version file

Verify Fix Applied:

Verify Samson version is 3385 or higher and that YAML.load_stream has been replaced with safe_load_stream in the affected files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual YAML payloads in role parameter requests
  • Unexpected process execution from Samson
  • Errors from YAML parsing in application logs

Network Indicators:

  • HTTP requests to /kubernetes/role_verifications with malicious YAML content
  • Outbound connections from Samson to unexpected destinations

SIEM Query:

source="samson" AND ("YAML.load_stream" OR "role_verifications" OR "RemoteCodeExecution")

📊 Metadata

CVE ID: CVE-2024-42363
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: August 20, 2024
Last Updated: August 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42363, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)