CVE-2024-45164 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2024-45164?

CVE-2024-45164 has a CVSS score of 7.1 (HIGH). This vulnerability allows authenticated users in Akamai SIA ThreatAvert to bypass authorization controls and disable policy enforcement by directly accessing the ThreatAvert Policy page. It affects organizations using Akamai SIA ThreatAvert with SPS before 19.2.0 or Apps Portal before 19.2.0.3/19.2.0.20240814.

📋 TL;DR

This vulnerability allows authenticated users in Akamai SIA ThreatAvert to bypass authorization controls and disable policy enforcement by directly accessing the ThreatAvert Policy page. It affects organizations using Akamai SIA ThreatAvert with SPS before 19.2.0 or Apps Portal before 19.2.0.3/19.2.0.20240814.

💻 Affected Systems

Products:

Akamai SIA (Secure Internet Access Enterprise) ThreatAvert

Versions: SPS before 19.2.0, Apps Portal before 19.2.0.3 or 19.2.0.20240814

Operating Systems: Not specified, likely platform-independent

Default Config Vulnerable: ⚠️ Yes

Notes: Affects configurations where ThreatAvert is enabled and users have authenticated access to the SIA interface.

📦 What is this software?

Secure Internet Access Enterprise Threatavert by Akamai

View all CVEs affecting Secure Internet Access Enterprise Threatavert →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider or compromised account could disable all ThreatAvert security policies, allowing unrestricted malicious traffic and bypassing threat protection, leading to data breaches or malware infections.

🟠

Likely Case

An authenticated user with limited privileges inadvertently or intentionally disables specific policies, reducing security coverage and allowing some threats to bypass detection.

🟢

If Mitigated

With proper access controls and monitoring, impact is minimal as only authorized admins can modify policies, and changes are logged for review.

🌐 Internet-Facing: MEDIUM, as the vulnerability requires authentication but could be exploited if credentials are compromised via phishing or other attacks targeting internet-facing interfaces.

🏢 Internal Only: HIGH, as authenticated internal users (including low-privilege ones) can directly exploit this to disable critical security policies.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but involves simple direct navigation to a specific URI (/app/intelligence/threatAvertPolicies).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SPS 19.2.0 or later, Apps Portal 19.2.0.3 or 19.2.0.20240814 or later

Vendor Advisory: https://www.akamai.com/global-services/support/vulnerability-reporting

Restart Required: No

Instructions:

1. Log into the Akamai SIA admin interface. 2. Check current version in system settings. 3. If vulnerable, apply the latest patch via the vendor's update mechanism. 4. Verify update completion and test functionality.

🔧 Temporary Workarounds

Restrict Access to ThreatAvert Policy Page

all

Implement network or application-level controls to block unauthorized access to the /app/intelligence/threatAvertPolicies URI for non-admin users.

🧯 If You Can't Patch

Enforce strict access controls and least privilege for authenticated users to limit who can access admin functionalities.
Monitor logs for unauthorized access attempts to the ThreatAvert Policy page and alert on policy changes.

🔍 How to Verify

Check if Vulnerable:

Check the SPS or Apps Portal version in the admin interface; if before SPS 19.2.0 or Apps Portal 19.2.0.3/19.2.0.20240814, it is vulnerable.

Check Version:

Not provided; check via Akamai SIA admin interface or vendor documentation.

Verify Fix Applied:

After patching, confirm the version is SPS 19.2.0 or later, or Apps Portal 19.2.0.3/19.2.0.20240814 or later, and test that non-admin users cannot access /app/intelligence/threatAvertPolicies.

📡 Detection & Monitoring

Log Indicators:

Log entries showing access to /app/intelligence/threatAvertPolicies by non-admin users
Unexpected changes to ThreatAvert policies

Network Indicators:

HTTP requests to the vulnerable URI from unauthorized IPs or user accounts

SIEM Query:

Example: 'event_source:"Akamai SIA" AND uri:"/app/intelligence/threatAvertPolicies" AND user_role!="admin"'

📊 Metadata

CVE ID: CVE-2024-45164

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-863

Published: November 4, 2024

Last Updated: November 6, 2024

🔗 References

https://notes.netbytesec.com/2024/11/cve-2024-45164-broken-access-control.html Exploit,Mitigation,Third Party Advisory
https://www.akamai.com/global-services/support/vulnerability-reporting Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45164, you might also want to check these: