Summary

At Kudelski security, with the end of year approaching we have observed multiple vulnerabilities being exploited recently. This ranges from long-standing vulnerabilities like the Adobe Commerce (formerly Magento) with CVE-2024-34102 – dubbed “CosmicSting” to the very recent Cleo File Transfer Software Vulnerability (CVE-2024-50623), passing by Windows Lightweight Directory Access Protocol (LDAP) critical CVE-2024-49112. Our key message is to quickly act on vulnerabilities found in your environment. Please don’t let open vulnerabilities rot, one day or another it will backfire. And this is the time of the year, where we feel there is lots of vulnerabilities being exploited. The critical CVEs described below are not exhaustive, so we encourage our clients to rely on their vulnerability management practice to make sure no blatant hole is left unchecked.

Critical Vulnerability in Adobe Commerce (CVE-2024-34102) – “CosmicSting”

A critical vulnerability, identified as CVE-2024-34102, was discovered in Adobe Commerce (formerly Magento). This vulnerability, part of a series dubbed “CosmicSting”, allows an attacker to exploit flaws in the system’s deserialization process, potentially leading to unauthorized access to sensitive data and even admin-level access to the REST API, GraphQL, or SOAP interfaces. As a result, attackers can gain full control over an application without proper authentication. This vulnerability is already seen actively exploited across Switzerland, further emphasizing the urgency of addressing the issue.

Widespread Exploitation of Cleo File Transfer Software Vulnerability (CVE-2024-50623)

A critical vulnerability (CVE-2024-50623) in Cleo file transfer products, including Cleo VLTrader, Cleo Harmony, and Cleo LexiCom, has been actively exploited in the wild. This flaw, initially disclosed in October 2024, has led to unauthorized command execution, potentially compromising the integrity of affected systems. Despite patches being issued for affected versions (5.8.0.21), further vulnerabilities have been uncovered in versions up to 5.8.0.21, leading to an escalation in exploitation.

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE2024-49112)

A critical remote code execution vulnerability (CVE-2024-49112) has been discovered in the Windows Lightweight Directory Access Protocol (LDAP) and has been disclosed as part of the recent Patch Tuesday from Microsoft. This vulnerability affects both LDAP clients and servers running affected versions of Windows, allowing unauthenticated remote attackers to execute arbitrary code within the context of the LDAP service.

Affected Systems and/or Applications

Widespread Exploitation of Cleo File Transfer Software Vulnerability (CVE-2024-50623)

The following versions of Cleo products are vulnerable to CVE-2024-50623 and a newly discovered vulnerability (CVEpending):

• Cleo Harmony prior to version 5.8.0.24
• Cleo VLTrader prior to version 5.8.0.24
• Cleo LexiCom prior to version 5.8.0.24

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE2024-49112)

This vulnerability impacts several Windows operating system versions, including but not limited to:

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows 10 (Versions 21H2, 22H2, 23H2, and others) Windows 11 (Versions 22H2, 23H2, 24H2)

A full list of affected versions and corresponding updates is included in the Microsoft Security Update table.

Technical Details

Critical Vulnerability in Adobe Commerce (CVE-2024-34102) – “CosmicSting”

• CVE-2024-34102 arises from improper deserialization mechanisms within the REST API of Adobe Commerce (Magento). This flaw specifically affects the way data is processed from HTTP requests, allowing an attacker to inject malicious payloads that bypass security filters and lead to remote code execution or unauthorized access.

• The vulnerability was discovered during a routine bug bounty investigation, where the attacker identified insecure deserialization in how the system handled customer address data. This allowed the attacker to inject malicious XML payloads, leveraging an XXE (XML External Entity) attack to read sensitive files and ultimately gain unauthorized access to the admin panel.

• The flaw exists due to the system’s overly flexible deserialization logic, which fails to separate user-controlled data from system-controlled data, creating opportunities for denial of service (DoS) and remote code execution (RCE) via malicious XML payloads.

• Attack Flow:
  1. Initial Discovery:
     
     • The attacker discovered that certain REST API endpoints in Adobe Commerce could be accessed without proper authentication, such as /V1/guest-carts/:cartId/collect-totals.
     • By sending a crafted HTTP request, attackers could interact with the system without
  2. Deserialization Flaw:
     • During deserialization of input parameters (such as address data), an attacker could inject special characters, like XML data or invalid object types, which would trigger unsafe deserialization behavior.
     • This allowed the attacker to manipulate the request, leading to the execution of arbitrary code or access to sensitive system files (e.g., env.php).
  3. Exploitation via XXE Attack:
     • The attacker exploited the XXE vulnerability by injecting XML External Entities (XXE) payloads into the data being deserialized.
     • Through this, the attacker was able to leak sensitive application con guration les (such as env.php) containing critical information like encryption keys.
  4. Privilege Escalation:
     • With access to the env.php file and encryption keys, the attacker was able to craft a JSON Web Token (JWT) for admin-level access.
     • This allowed the attacker to gain full administrative control over the platform, including the ability to read and write sensitive customer and system data.

Widespread Exploitation of Cleo File Transfer Software Vulnerability (CVE-2024-50623)

Reports of active exploitation began circulating on December 9, 2024. The vulnerability, which allows unauthenticated attackers to upload and execute arbitrary bash or PowerShell commands on vulnerable systems, targets a flaw in the Autorun directory of Cleo products. This is a critical security issue as it can lead to full system compromise without any authentication.

Rapid7 and Huntress have observed a range of post-exploitation activities, including the installation of modular backdoors and the enumeration of system information. Attackers have also exploited the NTLM hash of user accounts for lateral movement and privilege escalation, particularly using the “OverPass-The-Hash” technique. Other signs of exploitation include the execution of system commands like systeminfo, whoami, and nltest, as well as suspicious PowerShell commands.

Indicators of Compromise

• Network IOCs:
  • 89.248.172[.]139
  • 176.123.10[.]115
  • 185.162.128[.]133
  • 185.163.204[.]137
  • 185.181.230[.]103
  • 8.67.51[.]13
  • 123.56.49[.]71
• URL:
  • http://8.67.51.13/1338
  • http://123.56.49.71/1338
• Post-Exploitation Behavior:
  
  • Commands: systeminfo, whoami, wmic logicaldisk get name,size, nltest /domain_trusts
  • Techniques: “OverPass-The-Hash” for lateral movement, PowerShell-based persistence

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE2024-49112)

CVE-2024-49112 is caused by an integer overflow issue in the processing of LDAP requests, which can lead to remote code execution. This vulnerability specifically affects versions of Windows where LDAP services are exposed via Remote Procedure Call (RPC). An attacker exploiting this vulnerability could gain control over the target system without needing authentication.

Exploitability and Attack Scenarios

1. Domain Controllers: An attacker must send specially crafted RPC requests targeting the domain controller to trigger a lookup of an attacker-controlled domain.
2. LDAP Clients: An attacker could trick a user or application into connecting to a malicious LDAP server. If successful, this would allow the attacker to execute arbitrary commands on the victim system.

Mitigation

Critical Vulnerability in Adobe Commerce (CVE-2024-34102) – “CosmicSting”

• Upgrade to Latest Version:
  • Ensure that you are using the latest version of Adobe Commerce (Magento). Adobe has released patches to address this issue. Users should upgrade to the fixed version as soon as possible to protect against this vulnerability.
• Apply Security Patches:
  • Apply any available security patches released by Adobe or third-party security organizations. Check Adobe’s official security advisory for detailed instructions on how to update your system.
• API Authentication:
  • Disable or restrict anonymous API access. Ensure that all API endpoints require proper authentication before allowing data to be submitted or processed.
• Limit Data Deserialization:

• • Review and tighten the deserialization logic, ensuring that no user-controlled data can be deserialized into system objects without proper validation.
  • Avoid processing XML or JSON input that includes external entity references or untrusted data.

Widespread Exploitation of Cleo File Transfer Software Vulnerability (CVE-2024-50623)

• Immediate Action: Update all affected Cleo products to version 5.8.0.24 or later.
• Network Segmentation: Remove vulnerable Cleo products from the public internet and ensure they are behind a properly configured firewall.
• Disable Autorun Directory: Disable the Autorun Directory feature, which processes command files automatically, to prevent further exploitation.

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE2024-49112)

To mitigate the risk of exploitation:

1. Apply Security Updates: Ensure that the latest security updates from Microsoft are applied to the affected systems. Microsoft has released security updates for all supported versions of Windows that address CVE-202449112. Administrators should apply the updates immediately to protect systems from potential exploitation. Please refer to the Microsoft Security Update page for detailed patch installation instructions.
2. Network Con gurations: It is recommended to configure domain controllers to either:
   • Not access the internet.
   • Not allow inbound RPC connections from untrusted networks.
     This dual-layered approach will reduce the risk of exploitation by preventing unauthorized connections to the LDAP service.
3. Firewall Rules: Restrict access to LDAP services over SSL (RPC and LDAP), ensuring that only trusted internal networks can communicate with domain controllers.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

Magento vulnerability

Cleo Product Security Advisory – CVE-2024-50623 – Cleo

Widespread exploitation of Cleo file transfer software (CVE-2024-50623) | Rapid7 Blog

CVE-2024-49112 – Security Update Guide – Microsoft – Windows Lightweight Directory Access Protocol (LDAP)

Remote Code Execution Vulnerability

‍

‍