CVE-2024-6424
📋 TL;DR
This vulnerability in MESbook allows unauthenticated attackers to make server-side requests to internal systems via vulnerable API endpoints. Attackers can read web source code, access internal files, and reach network resources that should be restricted. All systems running the affected MESbook version are vulnerable.
💻 Affected Systems
- MESbook
📦 What is this software?
Mesbook by Mesbook
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network through lateral movement, data exfiltration of sensitive files, and potential credential theft from internal systems.
Likely Case
Unauthorized access to internal files and web resources, source code disclosure, and reconnaissance of internal network infrastructure.
If Mitigated
Limited impact if network segmentation prevents access to sensitive systems and proper authentication controls are in place.
🎯 Exploit Status
The vulnerability is straightforward to exploit by crafting requests to the vulnerable endpoints with target URIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook
Restart Required: No
Instructions:
No official patch instructions available. Check vendor advisory for updates and apply any available patches immediately.
🔧 Temporary Workarounds
Block Vulnerable Endpoints
allUse web application firewall or reverse proxy to block access to /api/Proxy/ endpoints
# Example nginx location block
location ~ ^/api/Proxy/ { deny all; }
# Example Apache .htaccess
RewriteRule ^api/Proxy/.*$ - [F]
Network Segmentation
allIsolate MESbook server from internal network resources to limit attack surface
# Configure firewall rules to restrict outbound connections from MESbook server
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the MESbook server from sensitive internal resources
- Deploy web application firewall with rules to detect and block SSRF patterns and restrict access to /api/Proxy/ endpoints
🔍 How to Verify
Check if Vulnerable:
Test if /api/Proxy/Post or /api/Proxy/Get endpoints accept URI parameters and can access internal resources. Example: curl 'http://target/api/Proxy/Get?uri=http://localhost'Check Version:
Check MESbook version in application interface or configuration files (specific command depends on deployment)Verify Fix Applied:
Verify that requests to /api/Proxy/ endpoints are blocked or properly authenticated, and SSRF attempts fail📡 Detection & Monitoring
Log Indicators:
- Requests to /api/Proxy/ endpoints with URI parameters
- Unusual outbound connections from MESbook server to internal resources
- Access patterns suggesting SSRF attempts
Network Indicators:
- Outbound HTTP requests from MESbook server to internal IP ranges
- Traffic to unexpected internal services from the MESbook host
SIEM Query:
source="web_logs" AND (uri="/api/Proxy/Post" OR uri="/api/Proxy/Get") AND (query_parameter="uri=" OR query_parameter="URI=")