CVE-2024-43399 – This vulnerability in MobSF allows attackers to... (How to Fix)

Q: What is the severity of CVE-2024-43399?

CVE-2024-43399 has a CVSS score of 8.0 (HIGH). This vulnerability in MobSF allows attackers to bypass Zip Slip protections during static library analysis, enabling arbitrary file extraction to any location on the server. It affects all MobSF instances running versions before 4.0.7. Organizations using MobSF for mobile application security testing are at risk.

📋 TL;DR

This vulnerability in MobSF allows attackers to bypass Zip Slip protections during static library analysis, enabling arbitrary file extraction to any location on the server. It affects all MobSF instances running versions before 4.0.7. Organizations using MobSF for mobile application security testing are at risk.

💻 Affected Systems

Products:

Mobile Security Framework (MobSF)

Versions: All versions before 4.0.7

Operating Systems: All platforms running MobSF

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the static libraries analysis feature when processing .a extension files.

📦 What is this software?

Mobile Security Framework by Opensecurity

View all CVEs affecting Mobile Security Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via arbitrary file write leading to remote code execution, data exfiltration, or system takeover.

🟠

Likely Case

File system manipulation allowing attackers to overwrite critical files, install backdoors, or disrupt MobSF functionality.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - MobSF instances exposed to the internet are directly exploitable by attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading a malicious .a file to the MobSF instance, which can be done via the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.7

Vendor Advisory: https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j

Restart Required: Yes

Instructions:

1. Stop MobSF service. 2. Update to version 4.0.7 using pip: 'pip install --upgrade mobsf==4.0.7'. 3. Restart MobSF service.

🔧 Temporary Workarounds

Disable Static Libraries Analysis

all

Temporarily disable the vulnerable static libraries analysis feature

Modify MobSF configuration to disable .a file processing

Network Isolation

all

Restrict network access to MobSF instance

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Implement strict network segmentation to isolate MobSF from critical systems
Run MobSF with minimal privileges and in a containerized environment

🔍 How to Verify

Check if Vulnerable:

Check MobSF version: if version < 4.0.7, system is vulnerable

Check Version:

python -c "import mobsf; print(mobsf.__version__)"

Verify Fix Applied:

Verify version is 4.0.7 or higher and test .a file processing functionality

📡 Detection & Monitoring

Log Indicators:

Unusual .a file uploads
File extraction errors
Path traversal attempts in logs

Network Indicators:

Unexpected outbound connections from MobSF server
Large file transfers

SIEM Query:

source="mobsf.log" AND ("path traversal" OR ".a file" OR "extraction error")

📊 Metadata

CVE ID: CVE-2024-43399

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-23

Published: August 19, 2024

Last Updated: August 20, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43399, you might also want to check these: