CVE-2024-9006 – This critical vulnerability in 123solar 1.8.4.5... (How to Fix)

Q: What is the severity of CVE-2024-9006?

CVE-2024-9006 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in 123solar 1.8.4.5 allows remote attackers to execute arbitrary code by manipulating the PASSOx parameter in the config/config_invt1.php file. The vulnerability affects all systems running the vulnerable version of 123solar, particularly those exposed to untrusted networks. Attackers can exploit this without authentication to gain control of affected systems.

📋 TL;DR

This critical vulnerability in 123solar 1.8.4.5 allows remote attackers to execute arbitrary code by manipulating the PASSOx parameter in the config/config_invt1.php file. The vulnerability affects all systems running the vulnerable version of 123solar, particularly those exposed to untrusted networks. Attackers can exploit this without authentication to gain control of affected systems.

💻 Affected Systems

Products:

jeanmarc77 123solar

Versions: 1.8.4.5 (specific version mentioned, but earlier versions may also be vulnerable)

Operating Systems: Any OS running 123solar (typically Linux-based systems)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of config/config_invt1.php file. Any system with this file accessible via web interface is vulnerable.

📦 What is this software?

123solar by Jeanmarc77

View all CVEs affecting 123solar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, install malware, pivot to other systems, and potentially disrupt solar monitoring operations.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, or deployment of ransomware on vulnerable 123solar installations.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable component.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing systems extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require attacker access to internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed and the vulnerability is remotely exploitable without authentication, making weaponization highly probable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit f4a8c748ec436e5a79f91ccb6a6f73752b336aa5

Vendor Advisory: https://github.com/jeanmarc77/123solar/commit/f4a8c748ec436e5a79f91ccb6a6f73752b336aa5

Restart Required: No

Instructions:

1. Backup current configuration files. 2. Apply the patch from GitHub commit f4a8c748ec436e5a79f91ccb6a6f73752b336aa5. 3. Verify the config/config_invt1.php file no longer contains vulnerable code. 4. Test solar monitoring functionality.

🔧 Temporary Workarounds

Restrict Access to Config File

all

Block external access to the vulnerable config/config_invt1.php file using web server configuration.

# For Apache: add to .htaccess or virtual host config
<Files "config_invt1.php">
    Order deny,allow
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /config/config_invt1\.php$ {
    deny all;
    return 403;
}

Input Validation Enhancement

all

Add input validation for PASSOx parameter before processing.

# Add to config/config_invt1.php before parameter usage
if (!preg_match('/^[a-zA-Z0-9_\-]+$/', $_GET['PASSOx'])) {
    die('Invalid parameter');
}

🧯 If You Can't Patch

Isolate the 123solar system on a separate network segment with strict firewall rules
Implement web application firewall (WAF) rules to block requests containing suspicious patterns in PASSOx parameter

🔍 How to Verify

Check if Vulnerable:

Check if config/config_invt1.php exists and contains code that processes PASSOx parameter without proper validation. Test by accessing the file with a test payload in PASSOx parameter.

Check Version:

Check the 123solar version in the software interface or examine version files in the installation directory.

Verify Fix Applied:

Verify that the patch commit f4a8c748ec436e5a79f91ccb6a6f73752b336aa5 has been applied to config/config_invt1.php and that input validation has been implemented for PASSOx parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to config/config_invt1.php with suspicious PASSOx parameter values
System commands executed from web process context
Unexpected process creation from web server user

Network Indicators:

HTTP requests containing code injection patterns in PASSOx parameter
Outbound connections from 123solar system to unknown external IPs

SIEM Query:

source="web_logs" AND uri="/config/config_invt1.php" AND (param="PASSOx" AND value MATCHES "[;|&`$()]+")

📊 Metadata

CVE ID: CVE-2024-9006

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

Published: September 19, 2024

Last Updated: September 25, 2024

🔗 References

https://github.com/jeanmarc77/123solar/commit/f4a8c748ec436e5a79f91ccb6a6f73752b336aa5 Patch
https://github.com/jeanmarc77/123solar/issues/74 Exploit,Issue Tracking,Third Party Advisory
https://github.com/jeanmarc77/123solar/issues/74#issuecomment-2357653441 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.278162 Permissions Required
https://vuldb.com/?id.278162 Third Party Advisory
https://vuldb.com/?submit.408298 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9006, you might also want to check these: