CVE-2024-51743
📋 TL;DR
This vulnerability allows authenticated instructors in MarkUs to write arbitrary files to any location on the web server, potentially leading to remote code execution. It affects MarkUs versions prior to 2.4.8. The risk is highest when attackers can write Ruby files to the config/initializers/ directory.
💻 Affected Systems
- MarkUs
📦 What is this software?
Markus by Markusproject
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, or pivot to other systems.
Likely Case
Attackers write malicious Ruby files to gain code execution, potentially compromising the MarkUs application and underlying server.
If Mitigated
With proper file system permissions and network segmentation, impact could be limited to the MarkUs application directory only.
🎯 Exploit Status
Exploitation requires instructor credentials but is straightforward once authenticated. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.8
Vendor Advisory: https://github.com/MarkUsProject/Markus/security/advisories/GHSA-hwgg-qvjx-572x
Restart Required: Yes
Instructions:
1. Backup your MarkUs instance and database. 2. Update to MarkUs version 2.4.8 via git pull or package update. 3. Run bundle install to update dependencies. 4. Restart the MarkUs application server. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
No application-level workarounds
allThe vendor advisory states no known workarounds exist at the application level aside from upgrading.
🧯 If You Can't Patch
- Restrict instructor account creation and review existing instructor accounts for suspicious activity
- Implement strict file system permissions to limit write access to critical directories
🔍 How to Verify
Check if Vulnerable:
Check MarkUs version. If version is below 2.4.8, the system is vulnerable.Check Version:
Check the MarkUs version in the application interface or review the application configuration files.Verify Fix Applied:
Verify MarkUs version is 2.4.8 or higher and test file upload functionality with instructor credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations by instructor accounts
- File writes to config/initializers/ directory
- Multiple failed file upload attempts
Network Indicators:
- Unusual file upload patterns from instructor accounts
- Large or unexpected file transfers
SIEM Query:
source="markus_logs" AND (event="file_write" OR event="file_upload") AND user_role="instructor" AND (file_path CONTAINS "config/initializers" OR file_path CONTAINS "../")