CVE-2024-5275
📋 TL;DR
A hard-coded password in FileCatalyst TransferAgent allows attackers to unlock the keystore and extract private keys for certificates. This enables machine-in-the-middle attacks against agent users. All FileCatalyst Direct versions 3.8.10 Build 138 and earlier, and FileCatalyst Workflow versions 5.1.6 Build 130 and earlier are affected.
💻 Affected Systems
- FileCatalyst Direct
- FileCatalyst Workflow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and decrypt all communications between FileCatalyst agents and servers, potentially stealing sensitive data and credentials.
Likely Case
Attackers perform MiTM attacks to intercept file transfers and authentication data.
If Mitigated
Limited to internal network attacks if proper segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires knowledge of the hard-coded password but no authentication to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FileCatalyst Direct 3.8.11+, FileCatalyst Workflow 5.1.7+
Vendor Advisory: https://www.fortra.com/security/advisory/fi-2024-007
Restart Required: Yes
Instructions:
1. Download latest version from Fortra support portal. 2. Backup current configuration. 3. Install update following vendor documentation. 4. Restart TransferAgent service. 5. Regenerate certificates and keys.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FileCatalyst agents from untrusted networks to limit attack surface.
Certificate Replacement
allReplace affected certificates with new ones using unique passwords.
🧯 If You Can't Patch
- Disable TransferAgent functionality if not required.
- Implement strict network access controls to limit agent communication to trusted endpoints only.
🔍 How to Verify
Check if Vulnerable:
Check FileCatalyst version in administration console or configuration files against affected versions.Check Version:
Check version in FileCatalyst admin interface or configuration files (varies by installation).Verify Fix Applied:
Verify installed version is 3.8.11+ for Direct or 5.1.7+ for Workflow, and confirm new certificates are in use.📡 Detection & Monitoring
Log Indicators:
- Multiple failed keystore access attempts
- Unexpected certificate validation failures
- Unusual network connections to TransferAgent
Network Indicators:
- SSL/TLS handshake anomalies
- Unexpected MiTM proxy detection
- Traffic interception patterns
SIEM Query:
source="filecatalyst" AND (event="keystore_access" OR event="certificate_error")🔗 References
- https://support.fortra.com/filecatalyst/kb-articles/action-required-by-june-18th-2024-filecatalyst-transferagent-ssl-and-localhost-changes-MWQwYjI3ZGItZmQyMS1lZjExLTg0MGItMDAyMjQ4MGE0MDNm
- https://www.fortra.com/security/advisory/fi-2024-007
- https://support.fortra.com/filecatalyst/kb-articles/action-required-by-june-18th-2024-filecatalyst-transferagent-ssl-and-localhost-changes-MWQwYjI3ZGItZmQyMS1lZjExLTg0MGItMDAyMjQ4MGE0MDNm
- https://www.fortra.com/security/advisory/fi-2024-007
