CVE-2024-49357
📋 TL;DR
ZimaOS versions 1.2.4 and earlier expose sensitive system and application data through unauthenticated API endpoints. Attackers can access detailed information about installed applications and system configuration without any credentials. All ZimaOS users running vulnerable versions are affected.
💻 Affected Systems
- ZimaOS
📦 What is this software?
Zimaos by Zimaspace
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain complete reconnaissance of the system, enabling targeted attacks against known vulnerabilities in exposed applications or using leaked configuration data for privilege escalation.
Likely Case
Information disclosure allows attackers to map the system environment, identify vulnerable software versions, and plan subsequent attacks based on discovered applications and configurations.
If Mitigated
With proper network segmentation and access controls, the impact is limited to information disclosure within the isolated network segment.
🎯 Exploit Status
Exploitation requires only HTTP requests to specific endpoints. A YouTube demonstration video is available showing the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-hg2h-q5h6-r5c4
Restart Required: No
Instructions:
No official patch is available. Monitor the vendor advisory for updates and apply when released.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to ZimaOS API endpoints using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Reverse Proxy Authentication
allPlace ZimaOS behind a reverse proxy that requires authentication
🧯 If You Can't Patch
- Isolate ZimaOS systems on separate network segments with strict access controls
- Implement network monitoring for unauthorized access attempts to the vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Test if unauthenticated access to http://<ZimaOS-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json returns sensitive dataCheck Version:
Check ZimaOS version through web interface or system informationVerify Fix Applied:
Verify that the same endpoint now requires authentication or returns an error when accessed without credentials📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /v1/users/image endpoint with path parameter
- Unauthenticated access attempts to sensitive API endpoints
Network Indicators:
- Unusual HTTP GET requests to /v1/users/image?path= from unauthorized IP addresses
- Traffic patterns showing reconnaissance activity
SIEM Query:
source="zimaos" AND (url="/v1/users/image" OR url CONTAINS "app_order.json" OR url CONTAINS "system.json")