CVE-2024-52002
📋 TL;DR
This CSRF vulnerability in Combodo iTop allows attackers to trick authenticated users into performing unintended actions by visiting malicious web pages. All iTop users running versions before 3.2.0 are affected. The vulnerability targets multiple URL endpoints, potentially enabling unauthorized changes to the IT service management system.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify user accounts, change system configurations, create/delete service tickets, or alter access controls, potentially leading to complete system compromise or data manipulation.
Likely Case
Attackers trick administrators into performing unauthorized actions like creating new user accounts with elevated privileges or modifying existing service tickets.
If Mitigated
With proper CSRF protections and user awareness, the risk is significantly reduced as attackers would need to bypass additional security controls.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and visit a malicious page while logged into iTop. The vulnerability affects multiple endpoints, making exploitation straightforward once the target visits the malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.0
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download iTop version 3.2.0 or later from the official repository. 3. Follow the iTop upgrade documentation to apply the update. 4. Restart the web server service. 5. Verify the upgrade was successful.
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and CSRF tokens via web application firewall or reverse proxy configuration.
- Educate users about CSRF risks and implement browser extensions that block cross-site requests.
🔍 How to Verify
Check if Vulnerable:
Check your iTop version via the web interface admin panel or by examining the setup/version.php file. If version is below 3.2.0, you are vulnerable.Check Version:
grep 'ITOP_VERSION' /path/to/itop/setup/version.phpVerify Fix Applied:
After upgrading, verify the version shows 3.2.0 or higher in the admin panel and test that CSRF protections are in place for form submissions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed state-changing requests from same IP without corresponding GET requests
- Unusual POST requests to iTop endpoints from unexpected referrers
Network Indicators:
- HTTP requests to iTop with missing or invalid CSRF tokens
- Requests with suspicious referer headers pointing to external domains
SIEM Query:
source="iTop_logs" AND (http_method="POST" OR http_method="PUT") AND NOT csrf_token=*