CVE-2024-49359
📋 TL;DR
This vulnerability allows authenticated users to perform directory traversal attacks via the /v2_1/file API endpoint in ZimaOS, enabling them to list contents of any directory on the server including sensitive system directories like /etc. All ZimaOS users running version 1.2.4 or earlier are affected.
💻 Affected Systems
- ZimaOS
📦 What is this software?
Zimaos by Zimaspace
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full system access by reading sensitive configuration files (passwords, keys, tokens) and use this information to escalate privileges, compromise the entire system, and potentially pivot to other systems.
Likely Case
Authenticated attackers read sensitive system files, discover credentials or configuration weaknesses, and use this information for further attacks against the system or network.
If Mitigated
Attackers can only list directory contents but cannot read file contents or write files, limiting immediate damage but still exposing sensitive information about system structure.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial with simple path traversal techniques. A YouTube demonstration video is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-mwpw-fhrm-728x
Restart Required: No
Instructions:
No official patch is available. Monitor the vendor advisory for updates and apply immediately when released.
🔧 Temporary Workarounds
API Endpoint Restriction
linuxRestrict access to the vulnerable /v2_1/file endpoint using web server configuration or firewall rules.
# Example nginx location block to deny access
location /v2_1/file {
deny all;
return 403;
}
Network Segmentation
linuxIsolate ZimaOS systems from untrusted networks and restrict API access to authorized IP addresses only.
# Example iptables rule to restrict API access
iptables -A INPUT -p tcp --dport <ZIMA_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <ZIMA_PORT> -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the ZimaOS API endpoints.
- Review and minimize the number of authenticated users with API access to reduce attack surface.
🔍 How to Verify
Check if Vulnerable:
Test if you can access the /v2_1/file endpoint with path traversal payloads like '../../etc' while authenticated.Check Version:
Check ZimaOS version through web interface or system information endpoints.Verify Fix Applied:
Attempt the same directory traversal attack after applying workarounds - should receive 403 or connection refused.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /v2_1/file with '../' sequences in parameters
- Unusual access patterns to API from authenticated users
Network Indicators:
- Multiple sequential requests to /v2_1/file with varying path parameters
- Traffic spikes to the ZimaOS API endpoint
SIEM Query:
source="zimaos.log" AND uri_path="/v2_1/file" AND (param="*../*" OR param="*..\\*" OR param="*%2e%2e%2f*")