CVE-2024-51739
📋 TL;DR
CVE-2024-51739 is an information disclosure vulnerability in Combodo iTop that allows unauthenticated attackers to enumerate valid user accounts via the password reset functionality. This affects all iTop installations with vulnerable versions, making brute-force attacks more effective. The vulnerability exposes whether specific usernames exist in the system.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate all valid user accounts and then perform targeted brute-force attacks to compromise credentials, leading to unauthorized access and potential privilege escalation.
Likely Case
Attackers identify valid usernames and perform dictionary attacks against those accounts, potentially gaining unauthorized access to the iTop system.
If Mitigated
With proper controls like account lockouts, strong passwords, and network segmentation, the impact is limited to information disclosure without credential compromise.
🎯 Exploit Status
Exploitation requires no authentication and involves simple HTTP requests to the password reset endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.11, 3.0.5, 3.1.2, or 3.2.0
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download the patched version from the official iTop repository. 3. Follow the iTop upgrade documentation for your version. 4. Verify the fix by testing the password reset functionality.
🔧 Temporary Workarounds
Custom Dictionary Entry Override
allOverride the vulnerable dictionary entry with a generic message through an iTop extension
Create an extension that overloads the dictionary entry "UI:ResetPwd-Error-WrongLogin" with a generic message
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the password reset endpoint
- Enable account lockout policies and implement strong password requirements
🔍 How to Verify
Check if Vulnerable:
Test the password reset functionality with valid and invalid usernames. If different error messages are returned for valid vs invalid users, the system is vulnerable.Check Version:
Check the iTop configuration file or admin interface for version informationVerify Fix Applied:
After patching, test password reset with valid and invalid usernames. Both should return identical generic error messages.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts with different usernames
- Unusual patterns of requests to /pages/UI.php?operation=reset_password
Network Indicators:
- High volume of POST requests to password reset endpoint from single IPs
- Pattern of sequential username attempts
SIEM Query:
source="iTop_logs" AND (uri="/pages/UI.php?operation=reset_password" OR message="password reset") | stats count by src_ip