CVE-2024-5407
📋 TL;DR
CVE-2024-5407 is a critical PHP code injection vulnerability in RhinOS 3.0-1190 that allows remote attackers to execute arbitrary code through the search parameter. This could lead to complete system compromise via reverse shell. All systems running the vulnerable RhinOS version are affected.
💻 Affected Systems
- RhinOS
📦 What is this software?
Rhinos by Saltos
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root/system-level access, deploying ransomware, stealing sensitive data, and pivoting to other network systems.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, and lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, WAF filtering, and restricted file permissions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires no authentication and has been weaponized in the wild. Simple HTTP requests can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0-1191 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rhinos-saltos
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download latest RhinOS version from official vendor. 3. Apply update following vendor documentation. 4. Restart RhinOS services. 5. Verify update successful.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block malicious search parameter payloads
# Example ModSecurity rule: SecRule ARGS:search "@rx (php|system|exec|shell_exec|passthru)" "id:1001,phase:2,deny,status:403,msg:'CVE-2024-5407 Block'"
# Example nginx rule: location ~* \.htm$ { if ($args ~* "(php|system|exec)") { return 403; } }
Input Validation Filter
allImplement input validation to sanitize search parameter before processing
# PHP example: $search = filter_var($_GET['search'], FILTER_SANITIZE_STRING);
# Python example: search = re.sub(r'[^a-zA-Z0-9\s]', '', request.args.get('search', ''))
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RhinOS systems from critical infrastructure
- Deploy intrusion detection systems (IDS) to monitor for exploitation attempts and block malicious IPs
🔍 How to Verify
Check if Vulnerable:
Check RhinOS version via web interface or SSH: cat /etc/rhinos/version or check web admin panel. Version 3.0-1190 indicates vulnerable system.Check Version:
ssh user@rhinos-host "cat /etc/rhinos/version" or check web interface at https://[rhinos-ip]/adminVerify Fix Applied:
Verify version is 3.0-1191 or later. Test search functionality with safe payloads to ensure no code execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /portal/search.htm with PHP functions in parameters
- Web server logs showing 500 errors from search endpoint
- System logs showing unexpected process execution from web user
Network Indicators:
- HTTP requests containing PHP code in search parameter
- Outbound connections from web server to unknown external IPs on unusual ports
- Increased traffic to search endpoint from single source
SIEM Query:
source="web_logs" AND (url="/portal/search.htm" AND (search="*php*" OR search="*system(*" OR search="*exec(*"))