CVE-2024-6851
📋 TL;DR
This vulnerability allows arbitrary file deletion on systems running the aim tracking server. An attacker can craft a glob-pattern to delete files outside the intended directory, potentially causing data loss or system disruption. Users of aimhubio/aim version 3.22.0 are affected.
💻 Affected Systems
- aimhubio/aim
📦 What is this software?
Aim by Aimstack
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or system instability.
Likely Case
Deletion of application files, logs, or user data causing service interruption and potential data corruption.
If Mitigated
Limited to deletion of non-critical files within the application directory if proper access controls are implemented.
🎯 Exploit Status
Exploitation requires crafting a malicious glob-pattern and access to trigger the cleanup function. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.22.1 or later
Vendor Advisory: https://huntr.com/bounties/839703fb-23b7-4dc4-ae81-44cd4740d3f3
Restart Required: No
Instructions:
1. Update aim to version 3.22.1 or later using pip: 'pip install --upgrade aim==3.22.1'. 2. Verify the update completed successfully. 3. No restart is required as this is a library fix.
🔧 Temporary Workarounds
Disable LocalFileManager cleanup
allPrevent the vulnerable cleanup function from being called by disabling or modifying the LocalFileManager configuration.
Modify aim configuration to disable automatic cleanup or restrict glob-pattern inputs
Restrict file system permissions
allRun the aim server with minimal file system permissions to limit the scope of potential file deletions.
Run aim as a non-privileged user with restricted directory access
🧯 If You Can't Patch
- Implement strict input validation for glob-pattern parameters to prevent directory traversal patterns.
- Deploy file integrity monitoring to detect unauthorized file deletions and alert on suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check the installed aim version: 'pip show aim | grep Version'. If version is 3.22.0, the system is vulnerable.Check Version:
pip show aim | grep VersionVerify Fix Applied:
After updating, verify the version is 3.22.1 or later: 'pip show aim | grep Version'.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion patterns in system logs
- Error messages related to file cleanup failures
- Multiple delete operations from aim processes
Network Indicators:
- Unusual API calls to cleanup endpoints with complex glob patterns
SIEM Query:
process.name:"aim" AND file.action:"delete" AND file.path NOT CONTAINS "/aim/"