CVE-2024-46648
📋 TL;DR
eNMS versions 4.4.0 through 4.7.1 contain a directory traversal vulnerability in the scan_folder function that allows attackers to read arbitrary files on the server. This affects all eNMS installations running vulnerable versions. Attackers can potentially access sensitive configuration files, credentials, or other system data.
💻 Affected Systems
- eNMS
📦 What is this software?
Enms by Enms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration files containing secrets, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive files containing credentials, configuration data, or user information that could enable further attacks.
If Mitigated
Limited impact with proper file permissions and network segmentation, potentially only exposing non-sensitive files.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple path traversal sequences. The GitHub reference likely contains proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.2 or later
Vendor Advisory: https://github.com/skit-cyber-security/eNMS_vulnerabilities
Restart Required: Yes
Instructions:
1. Backup current eNMS installation and database. 2. Download eNMS version 4.7.2 or later from official source. 3. Replace vulnerable files with patched version. 4. Restart eNMS service. 5. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject directory traversal sequences in scan_folder parameter
Modify scan_folder function to validate and sanitize input paths
File Permission Restriction
linuxRestrict eNMS process permissions to limit accessible directories
chmod 750 /path/to/eNMS/data
chown www-data:www-data /path/to/eNMS/data
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block directory traversal patterns
- Network segmentation to isolate eNMS from sensitive systems and restrict outbound connections
🔍 How to Verify
Check if Vulnerable:
Check if eNMS version is between 4.4.0 and 4.7.1 inclusive. Test scan_folder endpoint with directory traversal payloads like '../../etc/passwd'.Check Version:
Check eNMS web interface or configuration files for version informationVerify Fix Applied:
After patching, attempt directory traversal attacks against scan_folder endpoint and verify they are blocked. Check that version is 4.7.2 or later.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or similar traversal patterns to scan_folder endpoint
- Access to unexpected file paths in application logs
Network Indicators:
- Unusual file read patterns from eNMS server
- Requests with path traversal sequences
SIEM Query:
source="eNMS" AND (url="*scan_folder*" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*"))