Proof-of-concept exploit code has been launched for a top-severity security vulnerability in Progress Flowmon, a instrument for monitoring community efficiency and visibility.
Progress Flowmon combines efficiency monitoring, diagnostics, and community detection and response options. It’s utilized by greater than 1,500 firms world wide, together with SEGA, KIA, and TDK, Volkswagen, Orange, and Tietoevry.
The security problem has the utmost severity rating of 10/10 and was found by researchers at Rhino Safety Labs. It’s presently tracked as CVE-2024-2389.
An attacker can exploiting the vulnerability can use a specifically crafted API request to achieve distant, unauthenticated entry to the Flowmon net interface and execute arbitrary system instructions.
Flowon developer Progress Software program first alerted in regards to the flaw on April 4, warning that it impacts variations of the product v12.x and v11.x. The corporate urged system admins to improve to the most recent releases, v12.3.4 and 11.1.14.
The security replace was launched to all Flowmon clients both robotically via the ‘Computerized package deal obtain’ system or manually from the seller’s obtain middle. Progress additionally really useful upgrading all Flowmon modules afterwards.
Exploit code out there
In a report in the present day, Rhino Safety Labs launched technical particulars for the vulnerability together with a demo exhibiting how an attacker may exploit the problem to plant a webshell and escalate privileges to root.
The researchers clarify that they have been capable of inject instructions by manipulating the ‘pluginPath’ or ‘file parameters’ to embed malicious instructions. Utilizing the command substitution syntax , e.g. $(…), the researchers may obtain arbitrary command execution.
“The command executes blindly so it isn’t doable to see the output of the executed command, however it’s doable to put in writing a webshell to /var/www/shtml/,” the researchers clarify.
Rhino Safety
It’s value noting that in an alert about two weeks in the past Italy’s CSIRT warned that an exploit had already turn into out there. Certainly, BleepingComputer discovered {that a} security researcher had printed on April 10 a legitimate PoC for CVE-2024-2389 on X.
Flowmon servers uncovered
The variety of Flowmon situations uncovered on the general public net seems to range significantly relying on the search engine.
At publishing time, a look on the Fofa search engine for community property exhibits that there are about 500 Flowmon servers uncovered on-line. Shodan and Hunter search engines like google see lower than 100 situations.
On April 19, Progress Software program in a security bulletin assured its clients that there have been no reviews of energetic exploitation for CVE-2024-2389. Nevertheless, addressing the problem by upgrading to a secure model as quickly as doable is crucial.
