CVE-2024-6580
📋 TL;DR
The /n software IPWorks SSH library's SFTPServer component can be tricked into accessing unintended filesystem or network paths when loading SSH public keys or certificates. This vulnerability affects applications using vulnerable versions of IPWorks SSH that grant user access without proper key/certificate verification. Attackers could potentially read sensitive files or access network resources.
💻 Affected Systems
- /n software IPWorks SSH library
📦 What is this software?
Ipworks Ssh by Nsoftware
Ipworks Ssh by Nsoftware
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized file system access leading to sensitive data exposure, credential theft, or lateral movement to internal network resources.
Likely Case
Information disclosure through reading of configuration files, logs, or other accessible files on the server.
If Mitigated
No impact if applications properly validate SSH keys/certificates before granting access.
🎯 Exploit Status
Exploitation requires the vulnerable application to have improper authentication flow. Not directly exploitable without application-level vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.0.8945 and 24.0.8945
Vendor Advisory: https://www.nsoftware.com/kb/articles/cve-2024-5806
Restart Required: Yes
Instructions:
1. Identify applications using IPWorks SSH library. 2. Update to version 22.0.8945 or 24.0.8945. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.
🔧 Temporary Workarounds
Implement proper SSH key validation
allEnsure applications verify SSH public keys or certificates before granting user access.
Restrict filesystem permissions
allRun SFTP server with minimal filesystem permissions to limit potential damage.
🧯 If You Can't Patch
- Implement strict application-level authentication requiring SSH key verification before access
- Isolate SFTP servers in network segments with limited access to sensitive resources
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for IPWorks SSH library versions before 22.0.8945 or 24.0.8945.Check Version:
Check application's dependency manifest or library files for IPWorks SSH version.Verify Fix Applied:
Verify IPWorks SSH library version is 22.0.8945 or 24.0.8945 in application dependencies.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from SFTP connections
- Failed authentication attempts followed by unexpected file reads
Network Indicators:
- SFTP connections attempting to access non-standard paths or network resources
SIEM Query:
source="sftp_server" AND (event="file_access" AND path NOT CONTAINS "/authorized/" OR event="network_connection" AND dest_ip NOT IN [allowed_ips])