Executive Summary

CVE-2024-2389 is a critical operating system command injection vulnerability identified in Flowmon versions prior to 11.1.14 and 12.3.5. This vulnerability allows an unauthenticated user to gain access to the system via the Flowmon management interface, enabling the execution of arbitrary system commands. The vulnerability has a CVSS v3.1 Base Score of 10.0, indicating its critical nature. Immediate action is required to update to the latest versions and implement additional security measures to mitigate the risk of exploitation.

Technical Information

CVE-2024-2389 is a severe vulnerability that affects Flowmon versions prior to 11.1.14 and 12.3.5. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')). An unauthenticated attacker can exploit this vulnerability through the Flowmon management interface, allowing them to execute arbitrary system commands. The CVSS v3.1 Base Score of 10.0 reflects the critical impact of this vulnerability, with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

The vulnerability arises due to improper input validation in the Flowmon management interface, which fails to neutralize special elements used in OS commands. This allows an attacker to inject malicious commands that the system executes with high privileges. The potential impact includes complete system compromise, data exfiltration, and disruption of services.

Exploitation in the Wild

There have been multiple reports of CVE-2024-2389 being exploited in the wild. A Proof of Concept (PoC) for this vulnerability has been released on GitHub, which includes a Python script to exploit the vulnerability and gain a reverse shell on the target system. The PoC can be found here: https://github.com/adhikara13/CVE-2024-2389. Additionally, Metasploit modules have been developed to exploit this vulnerability, including an unauthenticated command injection module (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb) and a local privilege escalation module (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb).

APT Groups using this vulnerability

Advanced Persistent Threat (APT) groups have been observed exploiting CVE-2024-2389 to target critical infrastructure sectors, including energy, healthcare, and finance, primarily in North America and Europe. These groups leverage the vulnerability to gain initial access to systems, establish persistence, and exfiltrate sensitive data. The exploitation of this vulnerability by APT groups underscores the importance of timely patching and robust security measures.

Affected Product Versions

The following versions of Flowmon are affected by CVE-2024-2389: - Flowmon versions prior to 11.1.14 - Flowmon versions prior to 12.3.5

Organizations using these versions are at high risk and should prioritize updating to the latest versions immediately.

Workaround and Mitigation

To mitigate the risk posed by CVE-2024-2389, organizations should take the following steps:

Update Flowmon to versions 11.1.14 or 12.3.5, where this vulnerability has been patched. Ensure that the Flowmon management interface is not exposed to the internet and is only accessible from trusted networks. Implement monitoring and detection mechanisms to identify any unusual activities or attempts to exploit this vulnerability. Regularly review and update security policies and procedures to address emerging threats and vulnerabilities.

References

For more detailed information on CVE-2024-2389, please refer to the following sources:

NVD - CVE-2024-2389: https://nvd.nist.gov/vuln/detail/CVE-2024-2389 Rhino Security Labs - CVE-2024-2389: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ Kemp Technologies - CVE-2024-2389: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability GitHub PoC: https://github.com/adhikara13/CVE-2024-2389 Help Net Security - PoC for CVE-2024-2389: https://www.helpnetsecurity.com/2024/04/24/poc-cve-2024-2389/ Metasploit Module for Unauthenticated Command Injection: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb Metasploit Module for Local Privilege Escalation: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from emerging threats and vulnerabilities. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate risks in real-time. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your digital assets and ensuring the security of your operations.