CVE-2024-4846
📋 TL;DR
This vulnerability allows an authenticated attacker to bypass two-factor authentication (2FA) in Devolutions Server by using another browser tab to authenticate as another user without being prompted for 2FA. It affects Devolutions Server 2024.1.14.0 and earlier versions. Users with 2FA enabled are vulnerable to account takeover.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain unauthorized access to any user account, potentially compromising sensitive data, performing privileged actions, or maintaining persistent access to the system.
Likely Case
An attacker with valid credentials could bypass 2FA to access another user's account, leading to unauthorized data access or privilege escalation within the application.
If Mitigated
With proper network segmentation, strong authentication policies, and monitoring, impact would be limited to unauthorized access within the application scope rather than full system compromise.
🎯 Exploit Status
Exploitation requires an authenticated session and knowledge of another user's credentials. The attack vector involves browser tab manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.15.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0009
Restart Required: Yes
Instructions:
1. Download the latest version from Devolutions website. 2. Backup your current installation. 3. Run the installer to upgrade to version 2024.1.15.0 or later. 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Disable 2FA
allTemporarily disable two-factor authentication to prevent the bypass vulnerability
Navigate to Administration > Security > Two-Factor Authentication and disable
Session Management
allImplement strict session management policies to prevent tab-based attacks
Configure session timeout policies and single session per user
🧯 If You Can't Patch
- Implement network segmentation to isolate Devolutions Server from critical systems
- Enable detailed logging and monitoring for authentication events and account access patterns
🔍 How to Verify
Check if Vulnerable:
Check the Devolutions Server version in the web interface under Help > About or via the server consoleCheck Version:
In Devolutions Server web interface: Help > About, or check server logs for version informationVerify Fix Applied:
Verify the version is 2024.1.15.0 or later and test 2FA functionality with multiple browser tabs📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same IP for different users in short timeframe
- 2FA bypass attempts in authentication logs
- Unusual account access patterns
Network Indicators:
- Multiple authentication requests from same session
- Concurrent logins from same client
SIEM Query:
source="devolutions_server" AND (event_type="authentication" AND result="success") | stats count by user, src_ip | where count > 1